This detection rule identifies potential tampering with the Sysmon manifest by a threat actor, which may lead to the disabling of Sysmon logging capabilities. It leverages Windows Event Logs, specifically Event IDs 4657 and 4663, to detect modifications to the Sysmon operational channels that can indicate malicious activity. The rule triggers when there are attempts to set the 'Enabled' property of the Sysmon channel to 0, or if there are access attempts to the Sysmon configuration files. By monitoring these events, organizations can quickly identify and respond to potential evasion tactics employed by adversaries targeting Sysmon's logging capabilities.