The detection rule identifies potential evasive tactics employed by adversaries who may manipulate the Windows Filtering Platform (WFP) to block telemetry from endpoint security software. By monitoring multiple block events in the Windows Firewall, the rule analyzes patterns related to security processes, particularly those associated with common endpoint security applications. When a WFP rule is maliciously added to limit or disable the functionality of security software, this can hinder its ability to report relevant telemetry, making it an attractive vector for evasion. The rule leverages EQL (Event Query Language) to craft a sequence query focusing on blocked network events indicative of such behavior. It aids in pinpointing malicious alterations to WFP rules which could serve as critical indicators during threat hunts and incident responses.