The analytic rule 'Change Default File Association' has been deprecated and originally served to detect suspicious registry modifications that would alter the default file associations in Windows. This type of activity is crucial to monitor as attackers may exploit file associations to execute malicious payloads when a user opens a file. Specifically, the rule monitored changes made in registry paths related to command executions under the shell and HKCR (HKEY_CLASSES_ROOT) keys. Such alterations could allow arbitrary scripts to run, leading to potential code execution and persistent threats on compromised hosts. This rule relied on data from Sysmon's Event IDs 12 and 13 to analyze registry activity, making it essential for environments utilizing endpoint detection frameworks like Carbon Black or Sysmon for log capturing. The deprecation of this rule suggests a need for more refined detection techniques or improved alternatives in organizing and monitoring Windows registry alterations in real-time.