This detection rule identifies when users enable DNS-over-HTTPS (DoH) via Windows Registry modifications. DoH is a protocol that encrypts DNS queries to enhance privacy and security, effectively obscuring internet activity from external monitoring. However, enabling DoH can also prevent organizations from tracking malicious activities since it hides details such as query types, responses, and originating IP addresses. In a corporate environment, this lack of visibility could potentially facilitate data exfiltration by bad actors. The rule monitors specific registry paths associated with popular web browsers like Edge, Chrome, and Firefox to indicate when DoH has been activated. The identification of enabling DoH is crucial for ensuring organizational security by maintaining visibility over network traffic, allowing more effective threat detection and response.