Event Details
| Event Type | Audit Filtering Platform Packet Drop, Audit Filtering Platform Connection |
|---|
| Event Description | - 5152(F) : The Windows Filtering Platform blocked a packet.
- 5153(S) : A more restrictive Windows Filtering Platform filter has blocked a packet.
- 5154(S) : The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- 5155(F) : The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
- 5156(S) : The Windows Filtering Platform has permitted a connection.
- 5157(F) : The Windows Filtering Platform has blocked a connection.
- 5158(S) : The Windows Filtering Platform has permitted a bind to a local port.
- 5159(F) : The Windows Filtering Platform has blocked a bind to a local port.
|
|---|
| Event IDs | 5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159 |
|---|
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|
| Provider | N/A | N/A |
| EventID | <vmid> | <vmid> |
| Version | N/A | N/A |
| Level | <severity> | <severity> |
| Task | <vendorinfo> | <vendorinfo> |
| Opcode | N/A | N/A |
| Keywords | N/A | <result> |
| TimeCreated | N/A | N/A |
| EventRecordID | N/A | N/A |
| Correlation | N/A | N/A |
| Execution | N/A | N/A |
| Channel | N/A | N/A |
| Computer | N/A | N/A |
| ProcessId | <processid> | <processid> |
| Application | <process> | <process> |
| Direction | N/A | N/A |
| SourceAddress | <sip> | <sip> |
| SourcePort | <sport> | <sport> |
| DestAddress | <dip> | <dip> |
| DestPort | <dport> | <dport> |
| Protocol | <protnum> | <protnum> |
| FilterRTID | N/A | N/A |
| LayerName | N/A | N/A |
| LayerRTID | N/A | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|
| 1007802 | EVID 5031 & 5152 - 5159 : Windows Firewall Events | Base Rule | Network Traffic | Network Traffic |
| EVID 5153 : Restricted Filtering Blocked Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5152 : Filtering Platform Blocked A Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5159 : Denied Bind To Local Port | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5158 : Permitted Bind To Local Port | Sub Rule | Permitted Bind To Local Port | Information |
| EVID 5157 : Filtering Platform Blocked Connection | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5156 : Filtering Platform Allowed Connection | Sub Rule | Traffic Allowed by Host Firewall | Network Allow |
| EVID 5155 : App Not Allowed To Listen For Conn | Sub Rule | Application Blocked From Listening For Connections | Warning |
| EVID 5154 : App Allowed To Listen For Conn | Sub Rule | Application Allowed To Listen For Connections | Information |
| EVID 5031 : Firewall Service Blocked Incoming App | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5153 : Restricted Filtering Blocked Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5152 : Filtering Platform Blocked A Packet | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5159 : Denied Bind To Local Port | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5158 : Permitted Bind To Local Port | Sub Rule | Permitted Bind To Local Port | Information |
| EVID 5157 : Filtering Platform Blocked Connection | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| EVID 5156 : Filtering Platform Allowed Connection | Sub Rule | Traffic Allowed by Host Firewall | Network Allow |
| EVID 5155 : App Not Allowed To Listen For Conn | Sub Rule | Application Blocked From Listening For Connections | Warning |
| EVID 5154 : App Allowed To Listen For Conn | Sub Rule | Application Allowed To Listen For Connections | Information |
| EVID 5031 : Firewall Service Blocked Incoming App | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
LogRhythm Default v2.0
| Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|
| 1011123 | V 2.0 : Windows Firewall Connection Events | Base Rule | Network Traffic | Network Traffic |
| V 2.0 : EVID 5152 : WFP - Packet Blocked | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| V 2.0 : EVID 5153 : WFP - Packet Blocked | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| V 2.0 : EVID 5154 : WFP - Application Allowed | Sub Rule | Application Allowed To Listen For Connections | Information |
| V 2.0 : EVID 5155 : WFP - Application Blocked | Sub Rule | Application Blocked From Listening For Connections | Warning |
| V 2.0 : EVID 5156 : WFP - Connection Permitted | Sub Rule | Traffic Allowed by Host Firewall | Network Allow |
| V 2.0 : EVID 5157 : WFP - Connection Blocked | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
| V 2.0 : EVID 5158 : WFP - Permitted Bind To Local Port | Sub Rule | Permitted Bind To Local Port | Information |
| V 2.0 : EVID 5159 : WFP - Blocked Bind To Local Port | Sub Rule | Traffic Denied by Host Firewall | Network Deny |
