This detection rule identifies updates to the Sysmon configuration files on Windows systems, a technique that attackers may use to modify the logging behavior of Sysmon to evade detection. Sysmon, part of the Sysinternals Suite, monitors and logs system activity for potential indication of malicious behavior. The rule captures two main scenarios: when a legitimate Sysmon process (either Sysmon64.exe or Sysmon.exe) has the description indicating it is the System activity monitor, or through command line entries containing a flag indicating a configuration update. The condition for triggering the alert requires that all specified selections match, enhancing the precision of detection. Given that legitimate administrators could also initiate these actions, the rule includes an annotation about potential false positives, which highlights the necessity for further evaluation of the context surrounding detection alerts for appropriate response.