This detection rule targets changes to the "xp_cmdshell" stored procedure setting in Microsoft SQL Server (MSSQL). The purpose of tracking this specific change is due to the potential risks it poses; enabling "xp_cmdshell" can allow for command execution on the server, leading to possible exploitation and lateral movement in the environment. The rule detects this change by monitoring for events generated by MSSQL that indicate modification to the procedure, specifically EventID 15457, which is triggered when the setting is altered. By establishing a selection condition that looks for the presence of "xp_cmdshell" within the event data, this rule aims to alert security teams on any unauthorized or suspicious activities related to command execution capabilities in the database. However, it is noteworthy that legitimate administrative actions to enable or disable this feature could result in false positives, hence the importance of context in investigations.