This analytic rule identifies potentially malicious modifications to auditing options in Windows registry, specifically within the key 'HKLM\System\CurrentControlSet\Control\Lsa\'. The key options being monitored include 'CrashOnAuditFail', 'FullPrivilegeAuditing', 'AuditBaseObjects', and 'AuditBaseDirectories'. Changes to these values may indicate that a threat actor is attempting to disable auditing capabilities to evade detection during an attack. The rule is grounded in Sysmon EventID 13 data from the Endpoint Registry data model, which captures details necessary for identifying the modifications along with associated processes, users, and timestamps. If alterations are detected, it is crucial to investigate further to determine the legitimacy of these changes as they could facilitate attackers in evading security measures, potentially leading to compromised machines or lateral movement across networks.