Event ID 4950 — A Windows Firewall setting has changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → MPSSVC Rule-Level Policy Change
Collection Priority: Low (Splunk-UBA, others)
Opcode: Info

Description

A Windows Firewall setting was changed.

Message #

A Windows Firewall setting was changed.
	
Changed Profile: %1

New Setting:
	Type: %2
	Value: %3

Fields #

Name	Description
`ProfileChanged` UnicodeString	Changed Profile Known values `%%14644` Public `%%14645` Private `%%14646` Domain
`SettingType` UnicodeString	[New Setting] Type
`SettingValue` UnicodeString	[New Setting] Value

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
    "event_source_name": "",
    "event_id": 4950,
    "version": "0",
    "level": "0",
    "task": "13571",
    "opcode": "0",
    "keywords": 9232379236109516800,
    "time_created": "2021-06-03T19:39:52.893115500Z",
    "event_record_id": "1974770",
    "correlation": {
      "#attributes": {
        "ActivityID": "{38068009-512D-0000-1D80-06382D51D701}"
      }
    },
    "execution": {
      "process_id": "556",
      "thread_id": "2532"
    },
    "channel": "Security",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProfileChanged": "Domain",
    "SettingType": "Enable Windows Firewall",
    "SettingValue": "Yes"
  }
}

Community Notes #

Tracks changes to core settings such as disabling a profile (domain, private, public), or default block/allow behavior.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4950
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx