Event Details

Event TypeAudit Filtering Platform Packet Drop
Event Description
  • 5152(F) : The Windows Filtering Platform blocked a packet.
  • 5153(S) : A more restrictive Windows Filtering Platform filter has blocked a packet.
  • 5154(S) : The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
  • 5155(F) : The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
  • 5156(S) : The Windows Filtering Platform has permitted a connection.
  • 5157(F) : The Windows Filtering Platform has blocked a connection.
  • 5158(S) : The Windows Filtering Platform has permitted a bind to a local port.
  • 5159(F) : The Windows Filtering Platform has blocked a bind to a local port.
Event IDs5152, 5153, 5154, 5155, 5156, 5157, 5158, 5159

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
Task<vendorinfo><vendorinfo>
OpcodeN/AN/A
KeywordsN/A<result>, <tag1>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
Processid<processid><processid>
ChannelN/AN/A
Computer<dname><dname>
SecurityN/AN/A
ProfilesN/AN/A
Application<process><process>
Application NameN/AN/A
Direction<sname>N/A
Source Address<sip><sip>
Source Port<sport><sport>
Destination Address<dip><dip>
Destination Port<dport><dport>
Protocol<protnum><protnum>

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1004667EVID 5031 & 5152 - 5159 : Windows Firewall EventsBase RuleNetwork TrafficNetwork Traffic
EVID 5031 : Firewall Service Blocked Incoming AppSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5152 : Permitted Bind To Local PortSub RulePermitted Bind To Local PortInformation
EVID 5153 : Restricted Filtering Blocked PacketSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5154 : App Allowed To Listen For ConnSub RuleApplication Allowed To Listen For ConnectionsInformation
EVID 5155 : App Not Allowed To Listen For ConnSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5156 : Filtering Platform Allowed ConnectionSub RuleTraffic Allowed by Host FirewallNetwork Allow
EVID 5157 : Filtering Platform Blocked ConnectionSub RuleTraffic Denied by Host FirewallNetwork Deny
EVID 5158 : Permitted Bind To Local PortSub RulePermitted Bind To Local PortInformation
EVID 5159 : Denied Bind To Local PortSub RuleTraffic Denied by Host FirewallNetwork Deny

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011123







V 2.0 : Windows Firewall Connection EventsBase RuleNetwork TrafficNetwork Traffic
V 2.0 : EVID 5152 : WFP - Packet BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5153 : WFP - Packet BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5154 : WFP - Application AllowedSub RuleApplication Allowed To Listen For ConnectionsInformation
V 2.0 : EVID 5155 : WFP - Application BlockedSub RuleApplication Blocked From Listening For ConnectionsWarning
V 2.0 : EVID 5156 : WFP - Connection PermittedSub RuleTraffic Allowed by Host FirewallNetwork Allow
V 2.0 : EVID 5157 : WFP - Connection BlockedSub RuleTraffic Denied by Host FirewallNetwork Deny
V 2.0 : EVID 5158 : WFP Permtd Bind To Local PortSub RulePermitted Bind To Local PortInformation
V 2.0 : EVID 5159 : WFP - Blckd Bind To Local PortSub RuleTraffic Denied by Host FirewallNetwork Deny