This detection rule monitors changes to the configuration of the xp_cmdshell extended stored procedure in SQL Server. The xp_cmdshell feature allows the execution of operating system commands, which poses significant security risks if enabled. Changes to its configuration can indicate potential misuse for privilege escalation or lateral movement by attackers. This rule uses Windows Event Log Application events (Event Code 15457) to identify when the xp_cmdshell configuration is modified, tracking whether it was enabled, disabled, or otherwise modified. It extracts relevant data from the event log, assesses the risk based on the changes made, and calculates a risk score to facilitate incident response.