This detection rule identifies potential abuse of the Windows Filtering Platform (WFP) by malicious actors who may alter WFP filters and providers to hinder Endpoint Detection and Response (EDR) agents. Such actions are indicative of defense evasion techniques, specifically targeting EDR solutions to bypass security monitoring. The rule specifically looks for changes in WFP events—EventCode 5447 (filter change) and EventCode 5448 (provider change)—within a short time frame (30 seconds). By capturing the relevant events from Windows event logs and analyzing them for specific patterns, this rule serves as an essential alert for potential EDR circumvention attempts. The provided logic uses Splunk to collect endpoint data, filtering the entries to only capture interactions from non-system accounts, indicating user-level modifications rather than system processes. This proactive approach allows for early detection of attempts to impair defenses, ultimately aiding in the preservation of the security posture of the environment.