Detection rule Admin Grant permission granted

Hey gpneira, 
if I understand you correctly the query below should help you. 

First, it looks for 'UserAccountAddedToLocalGroup' and extends the necessary fields, especially AddedAccountSID  . Then it joins this table with DeviceLogonEvents where AddedAccountSID == AddedAccountSID . 

Please let me know if this worked for you. 

DeviceEvents 
| where ActionType == 'UserAccountAddedToLocalGroup' 
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
| extend LocalGroup = AccountName
| extend LocalGroupSID = AccountSid
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
| join DeviceLogonEvents on $right.AccountSid == $left.AddedAccountSID
| where IsLocalAdmin == 1 and AdditionalFields1.IsLocalLogon == true
| project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, Actor, ActionType