This analytic detection rule identifies modifications made to the Windows registry that disable the Windows Defender Controlled Folder Access (CFA) feature via Sysmon events. Controlled Folder Access acts as a critical security layer designed to protect vital folders from unauthorized changes, particularly from ransomware and other malicious attacks. The rule monitors for specific registry changes where the EnableControlledFolderAccess setting is set to '0x00000000', indicating that the feature is turned off. Disabling this feature can expose systems to significant risks, as it allows potential attackers to bypass defenses against unauthorized access to sensitive files. The detection leverages data available in the Endpoint.Registry data model, ensuring comprehensive coverage of relevant events, thereby facilitating an effective response to potential security breaches.