This detection rule identifies modifications made to the Windows Defender Exploit Guard settings, specifically focusing on the 'ProtectedFolders' and 'AllowedApplications' configurations. When an addition or removal of applications or directories occurs in these designated areas, the rule triggers an alert. This is essential for defending against potential exploitations and unauthorized access attempts that could compromise system integrity. The detection mechanism is based on Event ID 5007, which logs changes to the Exploit Guard settings. The rule evaluates whether changes were made to the key paths associated with allowed applications and protected folders. The presence of certain keywords in the event logs indicates whether an application is being added or an existing one is being removed. Within the allowed applications, the rule primarily looks for modifications in specific directories, such as public user folders and system temp directories. The rule is classified with a high severity level due to the potential risk involved with tampering of security configurations. This rule assists in maintaining the security posture of Windows systems by monitoring critical Exploit Guard settings and alerting security teams to suspicious activities that could indicate attack attempts.