This detection rule monitors the configuration of ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) routers on Windows hosts. ISATAP is a protocol used for transitioning from IPv4 to IPv6; however, the presence of unauthorized or unexpected configurations could indicate a security threat, particularly IPv6 DNS takeover attacks. Attackers can exploit legitimate ISATAP configurations to set up rogue routers that intercept network traffic. The rule specifically looks for the EventID 4100 from the Microsoft-Windows-Iphlpsvc provider, which would indicate a newly configured ISATAP router. Careful consideration must be given to baseline behaviors in the network and to known legitimate ISATAP deployments to prevent false positives. The detection mechanism filters out settings that are configured to localhost or null, ensuring that only genuine anomalies are flagged for review. The rule is designated as medium severity, reflecting its importance in safeguarding network integrity, particularly in environments transitioning to IPv6.