This detection rule targets potential tampering with the SentinelOne shell context menu scan command on Windows systems. It identifies suspicious modifications made by processes that are not part of the SentinelOne software suite. The rule operates by monitoring changes to a specific registry path related to SentinelOne's context menu commands. If any alterations occur at the registry key 'HKEY_CLASSES_ROOT\*\shell\SentinelOneScan\command\', it checks if the originating process is not known to be SentinelOne. Furthermore, it incorporates filters to ensure that changes are only reported if they compromise the default behavior of the SentinelOne scanning command. The automatic triggering of the alarm is predicated on not detecting legitimate SentinelOne processes associated with the targeted registry change. This rule is essential for detecting potential persistence mechanisms or unauthorized command executions that could bypass SentinelOne's defenses.