This analytic detects alterations in the Windows registry that indicate attempts to disable the Windows Defender Firewall and network protection features. It specifically monitors changes to the UILockdown registry value within the Windows Defender Security Center's settings, leveraging data from Sysmon event IDs 12 and 13. The implications of disabling such security features are critical, as attackers may exploit this vulnerability to weaken a system's defenses, thereby facilitating unauthorized access and further malicious activities. The rule aims to assist security teams in identifying these potentially harmful modifications swiftly, allowing for proactive remediation.