In this scenario, you need to provide the name of a domain controller with the LEM agent installed on it for that first field. You may need to define that with a text constant. The other fields can come from the alert data.
Basically, you're telling LEM "If you see THING, then go to DOMAIN CONTROLLER AGENT and remove USER NAME from GROUP NAME."
IMHO, what may make more sense is setting up an action that disables the newly added account and the source account that made the change (that'd be two actions in one rule).