This analytic rule detects suspicious registry modifications intended to disable notifications for Windows Defender, a critical security feature in Windows operating systems. By monitoring Sysmon events (EventID 12 and EventID 13), the rule identifies changes specifically to the registry path for Windows Defender's security center notifications. A modification setting the value to '0x00000001' is particularly concerning, as it directly indicates an evasion tactic by malware, such as RedLine Stealer, which aims to suppress security alerts and operate undetected. The rule aggregates data from the Endpoint.Registry data model, enhancing detection capabilities against possible malicious activities and data exfiltration attempts that could stem from such alterations.