This rule detects when Windows Defender Threat Actions are configured to 'Allow' via the Set-MpPreference cmdlet in PowerShell. It analyzes endpoint process telemetry (Endpoint.Processes data model) to catch executions of Set-MpPreference that set any of the threat action defaults (-HighThreatDefaultAction, -ModerateThreatDefaultAction, -LowThreatDefaultAction, -SevereThreatDefaultAction) to the value 6 (interpreted as 'Allow'). Such a configuration is commonly abused by adversaries to bypass Defender’s protections, enabling malicious code execution, data exfiltration, or persistent access. The detection leverages data sources including Sysmon EventID 1, Windows Security Event 4688, and CrowdStrike ProcessRollup2, correlating the process, its command line (Set-MpPreference), and associated parent/process metadata. The SPL search groups results by destination, action, process details, and parent process information to surface credible activity with temporal context (firstTime/lastTime). A finding highlights the specific PowerShell command line that set the action to Allow, tied to the destination host. The rule is aligned with MITRE ATT&CK technique T1059.001 (PowerShell) and is contextualized with the Salat Stealer analytics in this rule set.