In the advanced rule editor (Matching tab, Advanced button) change the rule in the following way, add Target OU argument into "agruments" section and in_OU handler in the body:
<rule type="REL" version="1.0">
<arguments>
<argument displayname="Authorized_Groups" name="Authorized_Groups" class="List" description="A list of groups for managing groups in an organization">
<value></value>
</argument>
<argument displayname="Authorized_Users" name="Authorized_Users" class="List" description="A list of user accounts for managing groups in an organization">
<value></value>
</argument>
<argument displayname="Skipped_Target_Groups" name="Skipped_Target_Groups" class="List" description="A list of groups to exclude from monitoring">
<value></value>
</argument>
<argument displayname="Target_Groups" name="Target_Groups" class="List" description="A list of groups to monitor">
<value>"*\\*"</value>
</argument>
<argument displayname="Target_OUs" name="Target_OUs" class="List" description="A list of OUs to monitor">
<value>"OOUU"</value>
</argument>
</arguments>
<prefilter>
</prefilter>
<body>
def common(OperatorDomain, OperatorName, MemberAccount) :=
{
not in( strcat( OperatorDomain, "\\", OperatorName ), "wi", array(<parameter name="Authorized_Users"/>) )
and not in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Skipped_Target_Groups"/>) )
and in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Target_Groups"/>) )
and not is_current_user( OperatorDomain, OperatorName )
and not member_of( strcat( OperatorDomain, "\\", OperatorName ), array(<parameter name="Authorized_Groups"/>), true )
and in_OU(OperatorDomain, OperatorName, array(<parameter name="Target_OUs"/>), true )
and set_alert_field("OperatorName", OperatorName, true)
and set_alert_field("OperatorDomain", OperatorDomain, true)
and set_alert_field("MemberAccount", MemberAccount, true)
}
(
(EventID = 632 or EventID = 636 or EventID = 660 or EventID = 655 or EventID = 665 or EventID = 650)
and striequ( Source, "security" )
and common(String7, String6, String13)
)
or
(
(EventID = 4728 or EventID = 4732 or EventID = 4756 or EventID = 4761 or EventID = 4751 or EventID = 4746)
and common(String8, String7, String12)
);
In the advanced rule editor (Matching tab, Advanced button) change the rule in the following way, add Target OU argument into "agruments" section and in_OU handler in the body:
<rule type="REL" version="1.0">
<arguments>
<argument displayname="Authorized_Groups" name="Authorized_Groups" class="List" description="A list of groups for managing groups in an organization">
<value></value>
</argument>
<argument displayname="Authorized_Users" name="Authorized_Users" class="List" description="A list of user accounts for managing groups in an organization">
<value></value>
</argument>
<argument displayname="Skipped_Target_Groups" name="Skipped_Target_Groups" class="List" description="A list of groups to exclude from monitoring">
<value></value>
</argument>
<argument displayname="Target_Groups" name="Target_Groups" class="List" description="A list of groups to monitor">
<value>"*\\*"</value>
</argument>
<argument displayname="Target_OUs" name="Target_OUs" class="List" description="A list of OUs to monitor">
<value>"OOUU"</value>
</argument>
</arguments>
<prefilter>
</prefilter>
<body>
def common(OperatorDomain, OperatorName, MemberAccount) :=
{
not in( strcat( OperatorDomain, "\\", OperatorName ), "wi", array(<parameter name="Authorized_Users"/>) )
and not in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Skipped_Target_Groups"/>) )
and in( strcat( String4, "\\", String3 ), "wi", array(<parameter name="Target_Groups"/>) )
and not is_current_user( OperatorDomain, OperatorName )
and not member_of( strcat( OperatorDomain, "\\", OperatorName ), array(<parameter name="Authorized_Groups"/>), true )
and in_OU(OperatorDomain, OperatorName, array(<parameter name="Target_OUs"/>), true )
and set_alert_field("OperatorName", OperatorName, true)
and set_alert_field("OperatorDomain", OperatorDomain, true)
and set_alert_field("MemberAccount", MemberAccount, true)
}
(
(EventID = 632 or EventID = 636 or EventID = 660 or EventID = 655 or EventID = 665 or EventID = 650)
and striequ( Source, "security" )
and common(String7, String6, String13)
)
or
(
(EventID = 4728 or EventID = 4732 or EventID = 4756 or EventID = 4761 or EventID = 4751 or EventID = 4746)
and common(String8, String7, String12)
);