This detection rule identifies unusual access patterns to registry keys associated with Intelliform Storage, primarily used by Internet Explorer, by monitoring specific Windows Security Event logs. It focuses on EventCode 4663, which indicates object access events. When processes that are not Internet Explorer or its associated legitimate processes access the registry keys related to form data, it can signal unauthorized activity, potentially leading to data exfiltration or credential theft. The detection method involves filtering out known safe processes and tracking any anomalous access to those sensitive registry keys. Implementing this rule requires enabling 'Audit Object Access' within Group Policy for Windows systems to capture relevant security events.