This detection rule identifies the deletion of specific registry keys that disable the Local Security Authority (LSA) and Microsoft Defender Device Guard protections on Windows systems. The analytic is constructed using Sysmon events, specifically EventID 13 (which tracks registry operations) and EventID 1 (which logs process creation activities). By monitoring registry actions associated with critical security settings, the rule aims to detect potentially malicious activities that could compromise a system's defenses, such as credential theft or unauthorized code execution. Disabling these settings could lead to an elevated risk of system compromise and persistent attacker access. The detection uses EDR agent data to pinpoint these crucial actions, thus providing security teams with vital insights into possible security incidents.