This detection rule identifies unauthorized modifications to the 'ThrottleDetectionEventsRate' registry setting within Windows Defender on endpoints. By monitoring specific Sysmon Event IDs (12 and 13), the rule analyzes data regarding registry changes that could allow attackers to reduce the logging frequency of critical detection events. This reduction in event logging can significantly impair the visibility of malicious activities, giving attackers a potential advantage. The rule leverages the Endpoint.Registry data model to pinpoint alterations in the registry structure specifically related to Windows Defender's operation. If the throttle rate is decreased, it indicates a possible evasion tactic employed by attackers to hide their presence and hinder incident response efforts. The detection aims to ensure continuous visibility into potentially malicious changes to system defenses, aiding in the identification of threats that manipulate security settings.