This detection rule identifies and alerts upon the deletion of specific registry keys related to the Antimalware Scan Interface (AMSI) in Windows operating systems. AMSI is designed to help detect and mitigate malicious scripts and programs by providing an interface for applications to communicate with antimalware products. Attackers may attempt to disable AMSI by removing its registry keys, which can lead to increased risks of malware execution without proper detection. The rule specifically monitors for the deletion of registry keys corresponding to AMSI provider settings found under HKLM\Software\Microsoft\AMSI. When a deletion event occurs for the targeted registry keys, an alert is triggered, indicating a potential attempt to disable AMSI inspection.