Detects Windows Downdate registry activity by analyzing Sysmon registry-related events (Event IDs 12–14) for indicators used in the Windows Downdate attack. Specifically, it looks for registry edits where TargetObject matches PendingXmlIdentifier patterns (e.g., *COMPONENTS\PendingXmlIdentifier) or command-line tokens like *PoqexecCmdline, which attackers use to manipulate pending.xml during a downgrade. The search excludes legitimate, standard Windows updates paths (notably Windows\WinSxS) to reduce noise. The rule aggregates by EventID, TargetObject, ProcessPath, Computer, action, process_guid, process_id, and registry-related fields (registry_hive, registry_path, registry_key_name, registry_value_data, registry_value_name) to surface the first and last times of the activity and to provide contextual fields such as user and vendor_product. It is designed to be used with endpoint telemetry ingested from EDR agents and mapped to the CIM Endpoint data model, enabling correlation with user activity, processes, and risk signals. The rule is aligned with techniques for registry modification (T1112) and potential downgrade/exploitation paths (T1689) and includes drill-down and risk-based alerts to aid investigation. Limitations include possible false positives from legitimate system rollback or update processes that touch pending.xml in non-standard locations, which should be validated against change management. This rule relies on complete process command-lines, process GUIDs, and parent-child process lineage to accurately attribute activity. Keywords and references point to downgrade techniques and downdate-related research.