add keywords condition

rules/web/web_cve_2021_26858_iis_rce.yml

@@ -19,7 +19,14 @@ detection:
             - 'schema=Reset'
             - 'VirtualDirectory'
         cs-username|endswith: '$'
-    condition: selection
+    keywords:
+        - 'POST'
+        - '200'
+        - '/ecp/DDI/DDIService.svc/SetObject'
+        - 'schema=Reset'
+        - 'VirtualDirectory'
+        - '$'    
+    condition: selection or all of keywords
 falsepositives:
     - Unlikely
 level: critical