This detection rule identifies potentially malicious activity related to the use of `reg.exe` with the `save` or `export` parameters by monitoring process execution logs and command-line arguments from Endpoint Detection and Response (EDR) agents. Specifically, it focuses on commands that can be utilized by threat actors to dump sensitive registry data, manipulate registry entries, or evaluate their access rights on compromised systems. The ability to export or save registry entries can lead to privilege escalation, persistence methods, or access to confidential information, making this behavior a key indicator of suspicious activity. The rule processes event data from multiple sources, primarily relying on Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to maintain accurate detection capability and minimize noise from legitimate administrator actions. Consequently, the detection strategy incorporates a robust data model aligned with Splunk's Common Information Model (CIM), ensuring compatibility across various EDR products.