This detection rule, authored by Elastic, is designed to identify modifications to the registry that change the start type of specific Windows services used by SolarWinds software to disabled. The intention behind this manipulation is often to evade security measures and suppress essential services, indicating potential adversarial activity. The underlying event architecture leverages a time window of 9 months, capturing changes across various data sources including winlogbeat, Sysmon, and others pertinent to Windows environments. The key attributes monitored include the process names associated with SolarWinds, specific registry paths leading to service settings, and the examination of associated registry values that signify disabled states (4 or 0x00000004). The rule aligns with tactics from MITRE ATT&CK, particularly around defense evasion and initial access through supply chain compromises. It provides an explicit investigation guide for analysts to follow when addressing alerts, allowing for effective identification, response, and remediation of unauthorized modifications stemming from potential malicious activities.