This detection rule, created by Teoderick Contreras of Splunk, monitors modifications to the Windows registry that disable Windows Defender's file hash computation. The key registry value, 'EnableFileHashComputation', is set to '0', which can significantly weaken Windows Defender's malware detection capabilities. Such configurations might indicate malicious intent, allowing attackers to bypass security mechanisms and run malware undetected. The analytic specifically leverages Sysmon Event ID 12 and Event ID 13, utilizing the Endpoint Registry data model to track changes to the relevant registry path. Given the critical role of file hash computation in malware detection, this rule is important for maintaining security integrity on Windows systems. The rule may also generate false positives in environments where policies intentionally disable this feature, although it is unusual to do so on default systems.