This detection rule identifies when a user enables DNS-over-HTTPS (DoH) through registry changes on Windows systems. The primary concern is that enabling DoH can obscure DNS queries from organizational monitoring, making it easier for malicious actors to conceal internet activities or exfiltrate data without detection. The rule triggers on specific modifications to relevant registry paths for browsers like Microsoft Edge, Google Chrome, and Mozilla Firefox. Although DoH enhances user privacy by encrypting DNS requests, it poses a security risk as it hinders visibility into DNS traffic which is critical for identifying potential threats or attacks. The rule’s priority is low, yet it raises awareness regarding an important aspect of network behavior that endangers detection capabilities. Investigations following alerts include reviewing user activity, analyzing network traffic for unusual DNS queries, and assessing the legitimacy of registry changes. Triage steps and possible responses also focus on user education and updating security policies to control the use of DoH in the organization. This alerts security teams about changes that signal potential misuse of a privacy feature designed to mask internet activities.