This detection rule aims to identify modifications made to Windows Firewall configurations by monitoring Event ID 4946 in the Windows Security Event Log. Such modifications may indicate legitimate administrative actions but can also be signs of unauthorized changes or malicious activities aimed at compromising system security. The detection relies on analyzing key fields like RuleName, RuleId, Computer, and ProfileChanged to assess whether changes are expected based on historical behavior. Correlating this data with user activities and process executions further helps security teams discern potential threats from false positives. Proper implementation requires the ingestion of relevant Windows Security Event Logs and ensuring compatibility with Splunk’s EDR framework, utilizing the Common Information Model to normalize field names and enhance the structured analysis of firewall rule changes.