This detection rule monitors for the uninstallation of Sysinternals Sysmon, a powerful system monitoring tool used to track system activities and enhance visibility into suspicious behavior. The rule primarily focuses on the process creation logs in Windows, specifically looking for instances where the Sysmon executable (Sysmon.exe or Sysmon64.exe) is being removed. Additionally, it analyzes command line arguments for command line tools that include a flag indicating uninstallation ('-u'). Detecting the removal of Sysmon can signal potential defensive evasion attempts by threat actors, as they may aim to eliminate visibility into system events to avoid detection during malicious activities. The rule flags these actions as high severity due to their implications in the broader context of security monitoring and incident response.