This detection rule focuses on identifying Windows Defender Attack Surface Reduction (ASR) block events. ASR is a feature within Windows Defender Exploit Guard designed to mitigate vulnerabilities by preventing actions typically exploited by malware. When processes or applications trigger ASR rules—set to block rather than audit—they generate specific event codes in the Windows Event Log. This rule searches for event codes 1121, 1126, 1129, 1131, and 1133, which correspond to ASR block incidents. The detection utilizes event statistics to provide insights for analysis, while allowing for lookup against a predefined ASR ruleset to gain contextual understanding of which rule was triggered. False positives may occur from legitimate applications attempting to perform actions that resemble malicious activities, complicating the analysis process.