This detection rule monitors for the deletion of Windows firewall rules via registry modifications, as indicated by Sysmon Event ID 12. The primary focus is to identify unauthorized changes that could leave a system vulnerable to external threats. When a command such as 'netsh advfirewall firewall delete rule' is executed and captured in the registry, it highlights potential breaches or unauthorized access. The rule utilizes specific search queries to track changes in the firewall policy registry, particularly the object path that contains firewall rules. By detecting these deletions, organizations can take immediate action to secure their networks against potential intrusions or malicious activities. The analytics are configured to filter and rename relevant fields to improve the clarity and utility of the output, assisting security teams in taking a closer look at any anomalies in firewall rule configurations.