This rule identifies modifications in the Windows registry that correspond to the disabling of the Windows Defender Submit Samples Consent feature. The analytic leverages data from the Endpoint Registry data model, focusing on changes made to the registry path associated with Windows Defender SpyNet. Specifically, it tracks instances where the SubmitSamplesConsent value is set to 0, which indicates that Windows Defender will no longer submit sample data for further analysis. This behavior is a potential indicator of an attempt to evade detection by security software, allowing malicious actors to execute unmonitored code, thereby increasing the risk of system compromise. By monitoring Sysmon EventIDs 12 and 13, the rule captures essential registry changes that could signal malicious activity, emphasizing the importance of registry integrity in maintaining compliance with security protocols.