This detection rule is designed to monitor remote modifications made to Windows registry keys, which can be indicative of malicious activity, especially by adversaries attempting to manipulate system configurations or persistence mechanisms. The rule leverages Sysmon Event ID 13, which tracks registry modifications, filtering specifically for instances where the registry path indicates remote access. The search utilizes Splunk's data model capabilities to aggregate and display pertinent details like the registry key names and paths affected, along with timestamps for when the changes were made. However, the rule has been marked as deprecated due to concerns about the logic utilized and the potential for high false positive rates arising from legitimate administrative activities that also modify registry keys remotely. Thus, organizations using this rule should exercise caution and implement supplementary filtering mechanisms to distinguish malicious actions from legitimate administrative tasks.