This detection rule focuses on identifying the disabling of the Windows Firewall through the use of the `netsh` command-line application. It specifically analyzes execution logs captured by Endpoint Detection and Response (EDR) systems for command-line activity that contains keywords like "firewall," "off," and "disable." The significance of this detection lies in the risk associated with turning off the firewall; it may expose the system to external attacks, increasing the likelihood of malware communicating with its command and control (C2) infrastructure. Potential consequences of this action include unauthorized access to sensitive data and further compromise of the network environment. The analytic effectively correlates various data sources such as Sysmon events and Windows Event Logs to provide a comprehensive view of potentially malicious behavior associated with firewall disabling, ensuring that security operations teams can respond promptly to mitigate risks.