The <group> tag is used to collect together rules that have some common purpose or meaning. There are places in OSSEC configuration where you may want to reference other rules, such as for example, active responses. If you want an active response to fire if any rule in a set of rules is triggered, you could use the <group> as the matching criteria, rather than individually listing each rule.
The <group> tag is also used inside of a rule definition to add a rule to a subgroup. So there are several places the <group> tag is used. Hope that clears things up, Dave
