The 'Uncommon Registry Persistence Change' rule is designed to detect modifications to Windows registry keys that are typically not altered by legitimate applications, indicative of potential stealthy persistence mechanisms employed by adversaries. This EQL-based detection looks for registry changes on Windows endpoints within the past nine months, focusing on less common registry paths often exploited by malware for persistence. The detection query filters out normal modifications made by trusted processes and new configurations from legitimate software, narrowing down to suspicious changes that could suggest malicious intent. It monitors specific registry paths and values, while leveraging a risk score of 47 to prioritize alerts based on severity. The guide includes recommendations for investigation steps, highlighting the importance of examining the context of registry changes and correlating alerts with other anomalous activities. It notably addresses potential false positive scenarios and underlines the significance of routine investigations to distinguish benign events from real threats.