- Class Registry: indicates that this rule relates to requests send to IIS.
- Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
- level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.
- value { Include “\\REGISTRY\\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc” }: Indicates that the rule monitors registry value abc under registry key “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa . If the rule were to cover multiple values, you would add them in this section in different lines.
- time { Include “*” }: This section is currently not used, but must be included in this way in the rule.
- application { Include “*”}: Indicates that this rule is valid for all processes. If you’d want to limit your rule to specific processes, you would spell them out here, complete with their path name.
- user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you’d want to limit your rule to specific user contexts, you would spell them out here in the form Local/user or Domain/user. See paragraph “Mandatory Common Sections” for details.
- directives -c -d registry:delete: Indicates that this rule covers deletion of a registry key or value. The switches –c and –d must always be used in the directives section.