This analytic detects the disabling of Windows Defender logging by monitoring specific Registry keys: DefenderApiLogger and DefenderAuditLogger. It checks for changes in the Registry where these keys are set to disable (value of 0x00000000). This behavior is critical as it is often exploited by Remote Access Trojan (RAT) malware to evade detection. If an attacker successfully disables logging, they can cover their tracks and persist in a compromised environment more easily. This rule utilizes the Endpoint.Registry data model in Splunk for comprehensive monitoring of registry activity that could indicate malicious intent.