This anomaly detects Windows registry key deletions related to the CrowdStrike agent, as observed through Sysmon EventID 12 (Registry Key Deletion). The rule targets deletions of CrowdStrike keys within the SYSTEM hive and flags them as potential agent uninstall activity. While legitimate agent uninstallations during planned maintenance are expected, deletions outside approved windows may indicate tampering or defense evasion (e.g., CVE-2022-44721 patterns). The detection uses a Splunk SPL search that matches TargetObject pertaining to the CrowdStrike registry key, action=deleted, and related registry fields, then aggregates by Computer, EventID, TargetObject, action, and other registry/process metadata to compute firstTime and lastTime and apply a Windows-specific removal filter. Implementation relies on EDR telemetry ingested with process GUID, process name, parent process, and full command line, mapped to the Processes node of the Endpoint CIM data model for normalized fields. The rule includes drill-downs to view results by user and destination, and to examine risk events, plus a risk-based alert tied to the destination host with associated threat context. References point to CVE-2022-44721 and CsFalconUninstaller guidance to contextualize potential abuse. False positives may occur during legitimate maintenance or IT workflows, so such events should be correlated with change windows and asset ownership before alerting.