This detection rule targets modifications to the EventLog security descriptor in the Windows Registry which could represent a defense evasion tactic employed by attackers. It specifically monitors the `CustomSD` value within the path `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD`. Modifying this value can alter the access permissions to event logs, potentially allowing attackers to prevent security products and users from viewing or interacting with these logs, thereby obfuscating their activity. This detection relies on data from the Endpoint.Registry data model, specifically tracking changes to the registry that correspond to suspicious modifications. The search query is powered by Sysmon EventID 13 logs which log registry activity, particularly writes to the registry that can indicate tampering or malicious modifications.