The rule "Windows Defender ASR Rule Disabled" is designed to track and detect instances when Application Guard for Windows Defender is disabled. ASR rules are pivotal in reducing the attack surface by blocking potentially harmful actions and apps that exploit malware typically attempts to leverage for infiltration. This detection rule focuses on monitoring Windows Event Logs for disabling events associated with ASR rules. When an ASR rule is disabled, it generates Event Code 5007 which the rule captures and analyzes. The detection includes parsing registry values associated with ASR settings to track changes, highlighting the potential risk linked to these modifications. It facilitates visibility over the security posture by logging the details of the process, its previous state, and the rule that was altered, thereby aiding in incident response and forensic analysis in environments where ASR is critical for endpoint security.