Breadcrumbs

EVID 5152-5159 : Windows Firewall Events (Part 2) (XML - Security)

Event Details

Event Type

Audit Filtering Platform Packet Drop, Audit Filtering Platform Connection

Event Description

  • 5152(F)

    : The Windows Filtering Platform blocked a packet.

  • 5153(S)

    : A more restrictive Windows Filtering Platform filter has blocked a packet.

  • 5154(S)

    : The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

  • 5155(F)

    : The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

  • 5156(S)

    : The Windows Filtering Platform has permitted a connection.

  • 5157(F)

    : The Windows Filtering Platform has blocked a connection.

  • 5158(S)

    : The Windows Filtering Platform has permitted a bind to a local port.

  • 5159(F) : The Windows Filtering Platform has blocked a bind to a local port.

Event IDs

5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

Provider

N/A

N/A

EventID

<vmid>

<vmid>

Version

N/A

N/A

Level

<severity>

<severity>

Task

<vendorinfo>

<vendorinfo>

Opcode

N/A

N/A

Keywords

N/A

<result>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

N/A

N/A

Channel

N/A

N/A

Computer

N/A

N/A

ProcessId

<processid>

<processid>

Application

<process>

<process>

Direction

N/A

N/A

SourceAddress

<sip>

<sip>

SourcePort

<sport>

<sport>

DestAddress

<dip>

<dip>

DestPort

<dport>

<dport>

Protocol

<protnum>

<protnum>

FilterRTID

N/A

N/A

LayerName

N/A

N/A

LayerRTID

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1007802

EVID 5031 & 5152 - 5159 : Windows Firewall Events

Base Rule

Network Traffic

Network Traffic

EVID 5153 : Restricted Filtering Blocked Packet

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5152 : Filtering Platform Blocked A Packet

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5159 : Denied Bind To Local Port

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5158 : Permitted Bind To Local Port

Sub Rule

Permitted Bind To Local Port

Information

EVID 5157 : Filtering Platform Blocked Connection

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5156 : Filtering Platform Allowed Connection

Sub Rule

Traffic Allowed by Host Firewall

Network Allow

EVID 5155 : App Not Allowed To Listen For Conn

Sub Rule

Application Blocked From Listening For Connections

Warning

EVID 5154 : App Allowed To Listen For Conn

Sub Rule

Application Allowed To Listen For Connections

Information

EVID 5031 : Firewall Service Blocked Incoming App

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5153 : Restricted Filtering Blocked Packet

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5152 : Filtering Platform Blocked A Packet

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5159 : Denied Bind To Local Port

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5158 : Permitted Bind To Local Port

Sub Rule

Permitted Bind To Local Port

Information

EVID 5157 : Filtering Platform Blocked Connection

Sub Rule

Traffic Denied by Host Firewall

Network Deny

EVID 5156 : Filtering Platform Allowed Connection

Sub Rule

Traffic Allowed by Host Firewall

Network Allow

EVID 5155 : App Not Allowed To Listen For Conn

Sub Rule

Application Blocked From Listening For Connections

Warning

EVID 5154 : App Allowed To Listen For Conn

Sub Rule

Application Allowed To Listen For Connections

Information

EVID 5031 : Firewall Service Blocked Incoming App

Sub Rule

Traffic Denied by Host Firewall

Network Deny

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1011123

V 2.0 : Windows Firewall Connection Events

Base Rule

Network Traffic

Network Traffic

V 2.0 : EVID 5152 : WFP - Packet Blocked

Sub Rule

Traffic Denied by Host Firewall

Network Deny

V 2.0 : EVID 5153 : WFP - Packet Blocked

Sub Rule

Traffic Denied by Host Firewall

Network Deny

V 2.0 : EVID 5154 : WFP - Application Allowed

Sub Rule

Application Allowed To Listen For Connections

Information

V 2.0 : EVID 5155 : WFP - Application Blocked

Sub Rule

Application Blocked From Listening For Connections

Warning

V 2.0 : EVID 5156 : WFP - Connection Permitted

Sub Rule

Traffic Allowed by Host Firewall

Network Allow

V 2.0 : EVID 5157 : WFP - Connection Blocked

Sub Rule

Traffic Denied by Host Firewall

Network Deny

V 2.0 : EVID 5158 : WFP - Permitted Bind To Local Port

Sub Rule

Permitted Bind To Local Port

Information

V 2.0 : EVID 5159 : WFP - Blocked Bind To Local Port

Sub Rule

Traffic Denied by Host Firewall

Network Deny