This detection rule is designed to identify when the Windows Filtering Platform (WFP) blocks a connection attempt from Endpoint Detection and Response (EDR) agents. Threat actors may leverage WFP filters to hinder EDR agents from reporting necessary security events, utilizing tools like EDRSilencer or EDRNoisemaker. The primary event used for detection is Windows event 5157, indicating that a connection attempt has been blocked by a WFP filter. It is crucial to restrict the rule to the specific binaries of EDR tools actively deployed in the environment to enhance performance and relevance. The detection logic is implemented in Splunk and comprises various checks on the process names associated with EDR software, using regex patterns to ensure accuracy. The rule falls under the technique of 'Impair Defenses' (T1562) so that security professionals can monitor potential evasion tactics by adversaries targeting EDR functionality.