This detection rule focuses on identifying attempts by threat actors to modify Windows Firewall settings through the use of command-line utilities such as 'netsh' or PowerShell's 'New-NetFirewallRule'. The logic captures any addition of firewall rules, which may indicate malicious intent, particularly in the context of known threat actors such as APT29, APT35, and others. The rule uses Splunk's query language to search through endpoint data for occurrences of these terms, subsequently organizing the findings by time, host, user, and process details for further analysis. Additionally, it relates to defense evasion tactics classified under MITRE technique T1562.004, highlighting its relevance to cybersecurity professionals monitoring for unauthorized changes to firewall configurations. The rule is beneficial for EDR environments where tracking command-line parameters and logged activities is crucial. It draws on various referenced materials that outline the techniques used by prominent threat groups and provides a framework for detecting attempts to disable or manipulate system firewalls.