Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall.
Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099.
Channel: Security (events not enabled by default).
Events: 4946, 4947, 4948, 4950.
Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099.
Channel: Security (events not enabled by default).
Events: 4946, 4947, 4948, 4950.
Overview
The Windows Firewall (officially called the Microsoft Defender Firewall in
Windows 10 version 2004 and later) is a host-based firewall, builtin in the
Windows operating systems.
One of three profiles is activated automatically for each network interface:
-
Domainprofile: used when a Active Directory joined endpoint is connected to the domain network. TheDomainprofile is the least restrictive. -
Privateprofile: applied to a network adapter when it is connected to a network that is identified by the user as a private network. Windows enables network discovery features, allows file sharing and other network features. -
Publicprofile: applied to a network adapter by default, or if specified so by the user. ThePublicprofile is the most restrictive.
By default, The Windows Firewall blocks inbound connections and allows
outbound connections that do not match a rule.
Windows Firewall configuration change events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Default configuration. | Event 2003: A Windows Defender Firewall setting in the <Domain | Private | Public> profile has changed. Logged whenever the settings of a given Windows Firewall profile are changed. Information of interest: - The impacted profile. - The setting updated and the new value set. - The SID of the user and the process that modified the profile. For instance: A Windows Defender Firewall setting in the Domain profile has changed New Setting: Type: Enable Windows Defender Firewall Value: No Indicates that the Windows Firewall was turned off for the Domain profile. A Windows Defender Firewall setting in the Private profile has changed New Setting: Type: Default Inbound Action Value: Allow Indicates that the default action for inbound connection for the Private profile is now to accept the connections. |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Default configuration. | 2002: A Windows Defender Firewall setting has changed. Logged whenever a Windows Firewall setting is changed, excluding updates on a profile’s settings (that are logged through event 2003). Information of interest: - The setting updated and the new value set, in the same format as event 2003. - The SID of the user and the process that changed the setting. |
Security |
Requires Audit MPSSVC Rule-Level Policy Change to be enabled. |
Event 4950: A Windows Firewall setting has changed. Logged whenever the Windows Firewall settings are changed, including updates on a profile’s settings. Information of interest: - The impacted profile. - The setting updated and the new value set, in the same format as event 2003. |
Windows Firewall rules activity events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Default configuration. | Events 2004, 2071, and 2097 (depending on the Windows operating system version): A rule has been added to the Windows Defender Firewall exception list. Logged whenever a new rule is configured for the Windows Firewall. Information of interest: The rule name and identifier. - The rule parameters: > Impacted Windows Firewall profile(s) (Public, Private, Domain). > Origin and direction (local or remote). > Action (allow or deny traffic). > Network protocol (any, TCP, UDP, ICMP, …). > Eventual impacted application path. > Eventual local / remote IP address(es) and port(s). > … - The SID of the user and the process that created the rule. |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Default configuration. | Events 2005 and 2099 (depending on the Windows operating system version): A rule has been modified in the Windows Defender Firewall exception list. Logged whenever a Windows Firewall rule is modified. Holds the same exact information of interest as rule creation events 2004, 2071, and 2097. All the parameters of the modified rule are logged, whether they were updated or not. The modified value is not highlighted and the previous values are not logged. |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall |
Default configuration. | Events 2006, 2033 and 2052 (depending on the Windows operating system version): A rule has been deleted in the Windows Firewall exception list. Logged whenever a Windows Firewall rule is deleted. Information of interest: - Rule name and identifier. - The SID of the user and the process that deleted the rule. |
Security |
Requires Audit MPSSVC Rule-Level Policy Change to be enabled. |
4946: A change has been made to Windows Firewall exception list. A rule was added. 4947: A change has been made to Windows Firewall exception list. A rule was modified. 4948: A change has been made to Windows Firewall exception list. A rule was deleted. Logged whenever a Windows Firewall rule is created / modified / deleted. Information of interest: - The Windows Firewall profile(s) the rule is applied to. - The rule name and identifier. The information provided on the impacted rule is thus minimal and do not include rule parameters. |
References
View on GitHub