This analytic detects modifications to the Windows registry that adjust the Windows Defender SmartScreen level to "warn," which can potentially lessen user suspicion for executable files that are otherwise flagged as problematic. The rule primarily relies on Sysmon EventID 12 and EventID 13, which log registry activity. The key registry path monitored is related to the ShellSmartScreenLevel value. Setting this value to "warn" allows malicious executables to run with only a warning prompt, increasing the risk of malware execution and system compromise. This detection is crucial for identifying attempts by attackers to tamper with Windows security settings, thereby impairing defenses. The rule is implemented via an optimized search string that evaluates changes to the registry and tracks potential security events associated with the modification.