This analytic detects modifications made to Windows Defender exclusion registry entries, specifically under the registry path "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*". The logic behind monitoring these changes lies in the fact that threat actors often alter these entries to evade detection by Windows Defender, facilitating the unmitigated execution of malicious code. Such modifications could enable attackers to bypass antivirus protections, retain access to compromised systems, and launch subsequent attacks without being recognized. Utilizing Sysmon EventID 12 and 13, the detection rule aggregates registry modifications by tracking changes in specific attributes, effectively flagging potential threats when abnormal activity is observed. The insights gained from this detection can alert security teams to take timely action against potential adversary tactics focused on Windows Defender evasion.