This detection rule identifies suspicious activities involving the creation of Windows Defender Application Control (WDAC) policy files that may be misused by malicious actors. These attackers can leverage such policy files to inhibit EDR (Endpoint Detection and Response) or antivirus solutions while permitting their own malicious software to execute undetected. The rule is particularly focused on the abnormal processes that could indicate an attempt to create or update WDAC policies from unauthorized sources. The detection logic involves monitoring file events specifically in the `\\Windows\System32\CodeIntegrity\` directory, filtering out known legitimate processes such as WDAC management executables and common command-line interfaces, while still capturing potentially harmful command patterns related to execution and manipulation of WDAC policy files. Designed for medium severity alerts, this rule helps organizations maintain a robust security posture against evolving evasion tactics in Windows environments.