This detection rule monitors for unauthorized modifications to the Windows Defender's MpEngine registry value, specifically targeting the change of MpEnablePus to 0x00000000, which disables key Defender functionalities. The analytic utilizes Sysmon EventID 12 and EventID 13 to track changes in the registry path related to Microsoft Windows Defender MpEngine. Such modifications are critical as they may signal attempts by malicious actors to bypass Windows Defender's protections, potentially enabling malware execution and system compromise. Immediate response actions recommended include thorough investigation and, if confirmed malicious, endpoint isolation to prevent further damage. The implementation requires ingestion of relevant Sysmon logs, with the need for the corresponding technical setup to ensure accurate detection.