This analytic detection rule targets changes within the Windows registry that indicate an attempt to disable Windows Defender Application Guard auditing. Specifically, it monitors modifications to the registry path `Policies\Microsoft\AppHVSI\AuditApplicationGuard` where the value is set to `0x00000000`, signifying a disablement of the feature. Such actions are noteworthy since disabling auditing can reduce the effectiveness of security monitoring, allowing potentially malicious activities to occur undetected. Attackers can exploit this weakness to bypass Windows Defender protections, which may lead to unauthorized access or data exfiltration. The rule leverages Sysmon events (EventID 12 and 13) and requires that data related to these processes be ingested into the `Endpoint` datamodel for effective detection and alerting upon changes.