I want to create a custom Alert Policy that notifies admins when a new 365 Group is created. This seems like a simple task, but we are getting flooded with "Group Created" alerts every time a user shares a file from SharePoint. It appears that behind the scenes, SharePoint is creating a system group of some sort to handle the access needed for the sharing link, and then the Audit Log detects this as "GroupAdded." There must be a way to handle this. What is the right way to create this alert policy without detecting every single shared link created?
From the Audit Log, I can see that the end user is creating a "Limited Access System Group":
"NewValue": "Limited Access System Group For Web *ID_REMOVED*"
This lines up exactly with an Alert generated by the alert policy that shows the user was creating a sharing link from SharePoint: