This detection rule identifies modifications to the Windows Registry that disable the Windows Defender SmartScreen App Install Control feature. Specifically, it focuses on two key registry values: one that allows installations from any source and another that completely disables the App Install Control feature. Disabling this control can significantly increase the risk of users unintentionally installing malicious applications that could compromise system integrity and expose sensitive information. The rule leverages data from Sysmon Event IDs 12 and 13 to capture and analyze these registry modifications, alerting security teams to potential malicious intent behind such changes. Instances of the registry keys being modified are logged and analyzed to determine if they are part of a legitimate policy change or if they might indicate a security violation.