This rule is designed to detect the installation of suspicious keyboard layouts on Windows systems maintained by US personnel. Specifically, it looks for keyboard preload entries in the registry that correspond to layouts commonly associated with countries of concern such as China, Iran, or Vietnam. The rule utilizes Sysmon to monitor specific registry keys: '\Keyboard Layout\Preload\' and '\Keyboard Layout\Substitutes\', focusing on known malicious layout identifiers like '00000429' (Chinese), '00050429' (Iranian), and '0000042a' (Vietnamese). By applying conditions on the registry entries, the rule highlights activity that could indicate an attempt at malicious activity through keyboard manipulation. Organizations leveraging this detection can better safeguard against threats that utilize localized keyboard inputs for data exfiltration or unauthorized access.