This analytic rule detects modifications to the Windows Registry SIP Provider by analyzing Sysmon Event ID 12 and Event ID 13 logs. It focuses on key registry paths associated with Cryptography Providers and OID Encoding Types, which are critical for maintaining trust controls within Windows. Alterations in these registry entries can signify malicious activities aimed at undermining security measures, such as subverting cryptographic functions for unauthorized access or data theft. The rule aggregates data from endpoint logs and identifies processes linked to these registry changes, facilitating further investigation of potential security breaches.