Event ID 5154 — The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Message #

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Source Address: %3
	Source Port: %4
	Protocol: %5

Filter Information:
	Filter Run-Time ID: %6
	Layer Name: %7
	Layer Run-Time ID: %8

Fields #

Name	Description
`ProcessId` UInt64	[Application Information] Process ID
`Application` UnicodeString	[Application Information] Application Name
`SourceAddress` UnicodeString	[Network Information] Source Address
`SourcePort` UnicodeString	[Network Information] Source Port
`Protocol` UInt32	[Network Information] Protocol Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5154,
    "version": 0,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2026-03-12T01:42:03.150814+00:00",
    "event_record_id": 2727618,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8992
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessId": 764,
    "Application": "\\device\\harddiskvolume4\\users\\localuser\\appdata\\local\\microsoft\\onedrive\\26.026.0209.0004\\onedrive.sync.service.exe",
    "SourceAddress": "::1",
    "SourcePort": "42050",
    "Protocol": 6,
    "FilterRTID": 0,
    "LayerName": "%%14609",
    "LayerRTID": 42
  },
  "message": ""
}