This detection rule identifies modifications to the Windows registry aimed at suppressing notifications from Windows Defender. Specifically, it tracks changes made to the "Notification_Suppress" registry value within the Endpoint.Registry datamodel, utilizing Sysmon event IDs 12 and 13. Such alterations are commonly employed by malicious actors, including those distributing Azorult malware, to circumvent Windows Defender's protective measures and disable crucial alerts that inform users about potential threats. If this behavior is confirmed as malicious, it poses a significant risk as it allows attackers to execute operations unnoticed, facilitating persistent malicious activities without raising alarms on the endpoint or within security monitoring systems.