This analytic rule is designed to detect the deletion of the Windows Defender context menu entry from the Windows registry, an action often associated with attempts to disable security features typically in the context of Remote Access Trojan (RAT) malware. It leverages the Endpoint datamodel focusing on registry activities where the action type is 'deleted' and the path contains '*\\shellex\\ContextMenuHandlers\\EPP'. The loss of this default security control can diminish the protection provided by Windows Defender, potentially allowing malicious actors to impair security defenses, which may lead to unauthorized access, persistence on the compromised system, and exfiltration of sensitive data. Confirmation of this activity should prompt further investigation as it raises significant security concerns.