Event ID 5152 — The Windows Filtering Platform blocked a packet.
Description
The Windows Filtering Platform has blocked a packet.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt64 | [Application Information] Process ID |
Application UnicodeString | [Application Information] Application Name |
Direction UnicodeString | [Network Information] Direction Known values
|
SourceAddress UnicodeString | [Network Information] Source Address |
SourcePort UnicodeString | [Network Information] Source Port |
DestAddress UnicodeString | [Network Information] Destination Address |
DestPort UnicodeString | [Network Information] Destination Port |
Protocol UInt32 | [Network Information] Protocol Known values
|
FilterOrigin UnicodeString | [Filter Information] Filter Origin |
FilterRTID UInt64 | [Filter Information] Filter Run-Time ID |
LayerName UnicodeString | [Filter Information] Layer Name Known values
|
LayerRTID UInt64 | [Filter Information] Layer Run-Time ID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 5152,
"version": 1,
"level": 0,
"task": 12809,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2026-03-13T20:18:50.483625+00:00",
"event_record_id": 16258577,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3152
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessId": 0,
"Application": "-",
"Direction": "%%14592",
"SourceAddress": "10.2.10.21",
"SourcePort": "5355",
"DestAddress": "10.2.10.11",
"DestPort": "53173",
"Protocol": 17,
"FilterOrigin": "Stealth",
"FilterRTID": 70356,
"LayerName": "%%14597",
"LayerRTID": 13
},
"message": ""
}
Detection Patterns #
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defense Evasion: Disable or Modify System Firewall
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5157: The Windows Filtering Platform has blocked a connection.
1 rule
Community Notes #
Prefer 5157 when both are available as it is per-connection.