This detection rule aims to identify potentially malicious modifications to critical SQL Server configuration options, specifically focusing on features that can be abused by attackers. The monitored configurations include 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security'. Enabling these features allows functionality such as Active Directory reconnaissance and arbitrary code execution, which are common tactics employed by adversaries during attacks against SQL Server. The rule leverages Windows Event Log Application EventCode 15457 to detect these changes and assesses the potential risk associated with enabling or disabling these features by assigning risk scores and generating risk messages. Implementing this detection ensures visibility into key configuration changes that could expose security vulnerabilities within SQL Server environments, aiding in the early detection of potential attacks.