Event ID 4947 — A change has been made to Windows Firewall exception list. A rule was modified.
Description
A change was made to the Windows Firewall exception list. A rule was modified.
Message #
Fields #
| Name | Description |
|---|---|
ProfileChanged UnicodeString | Profile Changed Known values
|
RuleId UnicodeString | [Modified Rule] Rule ID |
RuleName UnicodeString | [Modified Rule] Rule Name |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4947,
"version": 0,
"level": 0,
"task": 13571,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2026-03-11T06:32:02.846637+00:00",
"event_record_id": 2461332,
"correlation": {
"ActivityID": "25EC58BA-8E8B-49D4-8250-F380547FF3D0"
},
"execution": {
"process_id": 720,
"thread_id": 1048
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"ProfileChanged": "All",
"RuleId": "WSLCore-SharedAccess-Allow-Rule",
"RuleName": "WSLCore SharedAccess Allow Rule"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Firewall Rule Modification source: This detection identifies instances where a Windows Firewall rule has been modified, which may indicate an attempt to alter security policies. Unauthorized modifications can weaken firewall protections, allowing malicious traffic or preventing legitimate communications. The event logs details such as the modified rule name, protocol, ports, application path, and the user responsible for the change. Security teams should monitor unexpected modifications, correlate them with related events, and investigate anomalies to prevent unauthorized access and maintain network security integrity.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change