This rule detects the execution of the 'rundll32.exe' process with the 'user32.dll,LockWorkStation' parameter, which is a method to lock the workstation from the command line. This technique is notable for being an uncommon method of invoking the lock screen and has been associated with CONTI ransomware activities aimed at evading detection during incidents. The detection integrates data from Endpoint Detection and Response (EDR) agents, relying on extraction of process names and command-line executions to identify potentially malicious activity. If this behavior is verified as malicious, it may signal attempts to obstruct incident responses, indicating a need for immediate investigation.