Detects modifications to the Windows Filtering Platform (WFP) policy that block the communication of known EDR processes by monitoring Windows Registry changes to FirewallRules. The rule looks for Registry modify actions under Parameters\FirewallPolicy\FirewallRules where Action=Block and App entries match a list of common security tools (e.g., MsMpEng.exe, TaniumClient.exe, CylanceSvc.exe, Elastic-Agent, Sentinel services, and other EDR-related binaries). It relies on telemetry from EDR agents and Sysmon Event ID 13 to correlate registry changes with process context, requiring proper ingestion and CIM normalization to the Endpoint data model. Attacker use-case: attackers may alter WFP policies to suppress EDR communications and hide activities on the host. While useful for detecting tampering, the rule may also flag legitimate security hardening or admin tasks; confirm with IT before alerting. The detection is intended for endpoint telemetry and helps identify tampering attempts that disable EDR protections at the network policy level.