This rule detects blocked connection events related to the Windows Filtering Platform (WFP), which are typically caused by common Endpoint Detection and Response (EDR) agents. Adversaries may deploy WFP filters to inhibit EDR agent communication, thereby thwarting security event reporting. By monitoring Event ID 5157, this rule identifies instances where specific EDR-related binaries are prevented from establishing connections, signifying potential attempts to evade detection. This enhances visibility into malicious activities aiming to compromise endpoint security and the efficacy of EDR solutions.