So, I've got this rule:
<rule id="100008" level="0"> <if_sid>550,551,552</if_sid> <match>Services</match> <match>Enum|BITS</match> <description>Ignoring innocuous registry changes</description> </rule> However it fails to catch this: Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fvevol\Enum' As far as I know this should work?
