This detection rule monitors modifications to the Windows registry specifically targeting the COMPlus_ETWEnabled value within the Environment key. By disabling ETW for the .NET Framework, an attacker can bypass Endpoint Detection and Response (EDR) systems, making their malicious activities less detectable. The rule focuses on changes made by both user-level and machine-wide settings through a data model capturing relevant Sysmon Event ID 13 logs. Its primary aim is to identify potentially malicious behavior that could lead to further compromises of the system. The analytic is structured to alert on registry changes that set the ETW value to disabled, which is an action typically associated with evasion tactics in attack scenarios.