+<!-- Granular group rules -->
+
+ <rule id="18200" level="5">
+ <if_sid>18104</if_sid>
+ <id>^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|</id>
+ <id>^663$|^4759$</id>
+ <description>Group Account Created</description>
+ <group>group_created,win_group_created,</group>
+ </rule>
+
+ <rule id="18201" level="5">
+ <if_sid>18104</if_sid>
+ <id>^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|</id>
+ <id>^667$|^4763$</id>
+ <description>Group Account Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ </rule>
+
+ <rule id="18202" level="5">
+ <if_sid>18200</if_sid>
+ <id>^631$|^4727$</id>
+ <description>Security Enabled Global Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631</info>
+ </rule>
+
+ <rule id="18203" level="5">
+ <if_sid>18114</if_sid>
+ <id>^632$|^4728$</id>
+ <description>Security Enabled Global Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632</info>
+ </rule>
+
+ <rule id="18204" level="5">
+ <if_sid>18114</if_sid>
+ <id>^633$|^4729$</id>
+ <description>Security Enabled Global Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633</info>
+ </rule>
+
+ <rule id="18205" level="5">
+ <if_sid>18201</if_sid>
+ <id>^634$|^4730$</id>
+ <description>Security Enabled Global Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634</info>
+ </rule>
+
+ <rule id="18206" level="5">
+ <if_sid>18200</if_sid>
+ <id>^635$|^4731$</id>
+ <description>Security Enabled Local Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635</info>
+ </rule>
+
+ <rule id="18207" level="5">
+ <if_sid>18114</if_sid>
+ <id>^636$|^4732$</id>
+ <description>Security Enabled Local Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636</info>
+ </rule>
+
+ <rule id="18208" level="5">
+ <if_sid>18114</if_sid>
+ <id>^637$|^4733$</id>
+ <description>Security Enabled Local Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637</info>
+ </rule>
+
+ <rule id="18209" level="5">
+ <if_sid>18201</if_sid>
+ <id>^638$|^4734$</id>
+ <description>Security Enabled Local Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638</info>
+ </rule>
+
+ <rule id="18210" level="5">
+ <if_sid>18114</if_sid>
+ <id>^639$|^4735$</id>
+ <description>Security Enabled Local Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639</info>
+ </rule>
+
+ <rule id="18211" level="5">
+ <if_sid>18114</if_sid>
+ <id>^641$|^4737$</id>
+ <description>Security Enabled Global Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641</info>
+ </rule>
+
+ <rule id="18212" level="5">
+ <if_sid>18200</if_sid>
+ <id>^658$|^4754$</id>
+ <description>Security Enabled Universal Group Created</description>
+ <group>group_created,win_group_created,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658</info>
+ </rule>
+
+ <rule id="18213" level="5">
+ <if_sid>18114</if_sid>
+ <id>^659$|^4755$</id>
+ <description>Security Enabled Universal Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659</info>
+ </rule>
+
+ <rule id="18214" level="5">
+ <if_sid>18114</if_sid>
+ <id>^660$|^4756$</id>
+ <description>Security Enabled Universal Group Member Added</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660</info>
+ </rule>
+
+ <rule id="18215" level="5">
+ <if_sid>18114</if_sid>
+ <id>^661$|^4757$</id>
+ <description>Security Enabled Universal Group Member Removed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661</info>
+ </rule>
+
+ <rule id="18216" level="5">
+ <if_sid>18201</if_sid>
+ <id>^662$|^4758$</id>
+ <description>Security Enabled Universal Group Deleted</description>
+ <group>group_deleted,win_group_deleted,</group>
+ <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662</info>
+ </rule>
+
+ <rule id="18217" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+\p*S-1-5-32-544\p*</regex>
+ <description>Administrators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18218" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-1-0}</regex>
+ <description>Everyone Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18219" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-9}</regex>
+ <description>Enterprise Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18220" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-11}</regex>
+ <description>Authenticated Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18221" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-13}</regex>
+ <description>Terminal Server Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18222" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-512}</regex>
+ <description>Domain Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18223" level="5">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-513}</regex>
+ <description>Domain Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18224" level="0">
+ <if_sid>18223,18203</if_sid>
+ <match>Target Account Name: None</match>
+ <description>Local User Group NONE</description>
+ <info>Bogus group user added to upon creation</info>
+ </rule>
+
+ <rule id="18225" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-514}</regex>
+ <description>Domain Guests Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18226" level="5">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-515}</regex>
+ <description>Domain Computers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18227" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-516}</regex>
+ <description>Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18228" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-517}</regex>
+ <description>Cert Publishers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18229" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\.+-518}</regex>
+ <description>Schema Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18230" level="12">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-519}</regex>
+ <description>Enterprise Admins Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18231" level="10">
+ <if_sid>18203,18204</if_sid>
+ <regex> ID:\s+%{S-1-5-21\S+-520}</regex>
+ <description>Group Policy Creator Owners Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18232" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex>\w* ID:\s+%{S-1-5-21\S+-553}</regex>
+ <description>RAS and IAS Servers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18233" level="5">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-545}</regex>
+ <description>Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18234" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-546}</regex>
+ <description>Guests Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18235" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-547}</regex>
+ <description>Power Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18236" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-548}</regex>
+ <description>Account Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18237" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-549}</regex>
+ <description>Server Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18238" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex>\w* ID:\s+%{S-1-5-32-550}</regex>
+ <description>Print Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18239" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-551}</regex>
+ <description>Backup Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18240" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-552}</regex>
+ <description>Replicators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18241" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-554}</regex>
+ <description>Pre-Windows 2000 Compatible Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18242" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-555}</regex>
+ <description>Remote Desktop Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18243" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-556}</regex>
+ <description>Network Configuration Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18244" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-557}</regex>
+ <description>Incoming Forest Trust Builders Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18245" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-558}</regex>
+ <description>Performance Monitor Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18246" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-559}</regex>
+ <description>Performance Log Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18247" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-560}</regex>
+ <description>Windows Authorization Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18248" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-561}</regex>
+ <description>Terminal Server License Servers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18249" level="8">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-562}</regex>
+ <description>Distributed COM Users Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18250" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-498}</regex>
+ <description>Enterprise Read-only Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18251" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-529}</regex>
+ <description>Read-only Domain Controllers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18252" level="12">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-569}</regex>
+ <description>Cryptographic Operators Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18253" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-571}</regex>
+ <description>Allowed RODC Password Replication Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18254" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-\s*21\.+\s*-572}</regex>
+ <description>Denied RODC Password Replication Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18255" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-573}</regex>
+ <description>Event Log Readers Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>
+
+ <rule id="18256" level="10">
+ <if_sid>18207,18208</if_sid>
+ <regex> ID:\s+%{S-1-5-32-574}</regex>
+ <description>Certificate Service DCOM Access Group Changed</description>
+ <group>group_changed,win_group_changed,</group>
+ <info>http://support.microsoft.com/kb/243330</info>
+ </rule>