This analytic rule detects unauthorized modifications to the Windows Registry aimed at disabling Windows Defender SpyNet reporting, an action that can mask malicious activities by preventing telemetry data from being sent to Microsoft. By leveraging the Endpoint.Registry data model, it focuses on changes made to the specific registry path associated with SpyNet settings. The rule utilizes Sysmon Event IDs 12 and 13 to track these changes. The significance of this detection cannot be overstated, as attackers may execute this modification to evade detection mechanisms and ensure persistence within a compromised environment. Upon triggering, the rule provides context about the changing processes and associated users, facilitating effective incident response. The implementation of this rule necessitates proper log ingestion of registry changes from endpoints using Sysmon, particularly exploiting its capabilities from version 2.0 onwards. False positives may occur when legitimate users disable Windows Defender, requiring analysts to review context carefully before drawing conclusions.