It would probably look like:
NewDomainMember EXISTS
AND DeleteDomainMember EXISTS
AND NewDomainMember.DestinationAccount = DeleteDomainMember.DestinationAccount
within time/response window 24 hours
(The first two lines with the EXISTS are redundant to the third but help you see what's going on.)
The downside of this is you expand your global response window to whatever that period is (24 hours), which means your appliance might hold onto more data longer in memory. To test it I'd set the time period short and see how it works.