This rule detects anomalous registry activity in Windows environments by monitoring creation or modification of registry values under user or system Environment keys (paths matching *\\Environment\\*) where the value content length exceeds 2,000 characters. It leverages Sysmon EventID 13 data to observe Registry changes, filters out the Path value to avoid common legitimate entries, and computes the length of registry_value_data. If the length exceeds 2,000 characters, an alert is produced with contextual details (destination host, process, user, registry path/name/value, and timestamps). The intent is to flag suspicious payloads or bloated environment variables that could indicate malware staging, encoding payloads, or abnormal deployments, which aligns with threat patterns such as VIP Keylogger activity and the MITRE technique T1112 (Registry). The rule assumes endpoint registry data is ingested into the Endpoint.Registry datamodel with process context available to support attribution and rapid triage.