This detection rule identifies and alerts when the AutoLogger session or its providers are disabled on a Windows system. It focuses on monitoring specific changes in the Windows Registry related to the AutoLogger feature, which is pivotal for maintaining security and monitoring. The rule captures modifications to the Registry keys under the path 'WMI\Autologger', specifically targeting the 'Start' and 'Enabled' values. If these values change to '0x00000000', it indicates an attempt to disable logging mechanisms, which could be a tactic used by attackers to evade security measures. The rule analyzes data ingested from Sysmon EventID 13 adhering to the Endpoint.Registry datamodel, extracting events where these critical registry settings are altered. Active vigilance is necessary as disabling such defensive measures can obscure attackers' subsequent actions and enable persistence on compromised systems.