This rule detects instances of the execution of `auditpol.exe` with arguments meant to clear or remove the global object access audit policy, signifying a potential defense evasion tactic used by adversaries. It focuses on command-line arguments such as "/resourceSACL" combined with "/clear" or "/remove", indicating attempts to manipulate pivotal security policies that could facilitate future attacks. Leveraging telemetry from Endpoint Detection and Response (EDR) systems, the rule identifies suspicious process activity, which could lead to a heightened risk of system compromise and lateral movement across the network. It calls for thorough investigation when detections are observed, due to the inherent risk associated with such actions.