Some or all of the following parameters appear in the Advanced Details tab of events for the class Files. The values of these parameters can help you understand why a signature is triggered.
GUI name
|
Explanation
|
---|---|
files
|
Name of the file that was accessed
|
dest file
|
Only applicable for renaming files: new name that the file was changed to
|
The following rule would prevent anybody and any process from creating the file ‘abc.txt’ in the folder C:\test\.
Rule {
Class Files
Id 4001
level 4
files { Include “C:\\test\\abc.txt” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d files:create
}
The various sections of this rule have the following meaning: