This detection rule identifies the use of the Deployment Image Servicing and Management (DISM) tool on Windows systems to disable features in an image. Specifically, it monitors for the execution of 'DismHost.exe' and 'Dism.exe' processes with command line arguments that include '/Online' and '/Disable-Feature'. This functionality can be exploited by malicious actors to disable security features such as Windows Defender, thereby decreasing the system's defenses against malware and other attacks. The rule uses a selection condition that triggers an alert if any one of the specified command-line configurations is matched, indicative of potentially malicious activity.