This detection rule identifies potential tampering with Windows EventLog file locations by monitoring changes to the corresponding registry keys. Specifically, it targets the 'file' key associated with the EventLog service located in the registry path \SYSTEM\CurrentControlSet\Services\EventLog\. The detection is triggered when an event occurs that modifies this key, indicating a potential attempt to change the default location of an EventLog (.evtx) file, which can hinder the effectiveness of log retention and alerting mechanisms. The rule utilizes a selection filter looking for specific modifications in the registry, while also filtering out benign changes that do not relate to the standard log storage path. By employing this detection method, organizations can actively monitor and respond to suspicious modifications that may indicate an intention to hide malicious activity or evade detection by altering log storage locations.