This detection rule identifies modifications to the 'hosts' file on all Windows endpoints within an environment. The search utilizes the Endpoint data model to analyze file system events captured by Sysmon EventID 11. By targeting the 'hosts' file specifically located in the Windows System32 directory, the rule highlights potentially unauthorized changes that may indicate suspicious activity such as malware redirection of web traffic. While essential for detecting potentially harmful alterations, the rule acknowledges that legitimate modifications by system administrators can lead to false positives. As such, it is crucial to correlate this detection with additional context before considering alerts actionable.