This detection rule identifies the creation of a Windows Defender Application Control (WDAC) policy file by an unusual process, which may indicate adversarial activity. Adversaries could exploit a bespoke WDAC policy to prevent legitimate security products from running. The rule utilizes EQL (Event Query Language) to detect specific file events for Windows operating systems, filtering for actions that do not involve file deletion and targeting files typically associated with WDAC policy creation, excluding process executions from a known benign source: 'poqexec.exe'. Alerts generated by this rule warrant a thorough investigation of the process execution chain, user identity, and surrounding activity to determine the legitimacy of the action. High-risk scores alert security teams to the potential for malicious intent, necessitating prompt incident response actions and remediation procedures.