diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index c73d5b2e..cb5aa7a8 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -18,10 +18,16 @@ logsource:
     product: windows
     service: security
     definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
+logsource:
+    product: windows
+    service: security
+    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
 detection:
     selection:
-        - EventID: 4661
-          ObjectType: 'SAM_USER'
+          EventID: 4661
+          ObjectType:
+            - 'SAM_USER'
+            - 'SAM_GROUP'
           ObjectName|startswith: 'S-1-5-21-'
           AccessMask: '0x2d'
     selection2: