This detection flags an instance of MpCmdRun.exe being executed with the -RemoveDefinitions argument, which instructs Windows Defender Antivirus to remove its malware definitions. Attackers may use this to degrade or disable signature-based protection, hindering detection of new or ongoing threats. The rule relies on endpoint telemetry from Sysmon (EventID 1 Process Creation), Windows Security log (4688 Process Creation), and CrowdStrike ProcessRollup2, ingested into the Endpoint data model. The SPL-based search targets processes named MpCmdRun.exe (or original_file_name = MpCmdRun.exe) with a command line containing -RemoveDefinitions, returning the process, its parent, the initiating user, and the destination host. The workflow leverages Splunk CIM normalization and maps to the MITRE ATT&CK technique T1562.001 (Impair Defenses). Drilldowns are provided to inspect the user and host involved and the parent/child process relationships. False positives may include legitimate administrative or maintenance activities by admins or security tools. Recommended actions include monitoring for -RemoveDefinitions usage, enforcing least-privilege, validating change control for Defender-related operations, and correlating with Defender status and definition update events.