Event ID 5157 — The Windows Filtering Platform has blocked a connection.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Filtering Platform Connection
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

The Windows Filtering Platform has blocked a connection.

Message #

The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID: %1
	Application Name: %2

Network Information:
	Direction: %3
	Source Address: %4
	Source Port: %5
	Destination Address: %6
	Destination Port: %7
	Protocol: %8

Filter Information:
	Filter Run-Time ID: %9
	Layer Name: %10
	Layer Run-Time ID: %11

Fields #

Name	Description
`ProcessID` UInt64	[Application Information] Process ID
`Application` UnicodeString	[Application Information] Application Name
`Direction` UnicodeString	[Network Information] Direction Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SourceAddress` UnicodeString	[Network Information] Source Address
`SourcePort` UnicodeString	[Network Information] Source Port
`DestAddress` UnicodeString	[Network Information] Destination Address
`DestPort` UnicodeString	[Network Information] Destination Port
`Protocol` UInt32	[Network Information] Protocol Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`InterfaceIndex` UInt32	[Network Information] Interface Index
`FilterOrigin` UnicodeString	[Filter Information] Filter Origin
`FilterRTID` UInt64	[Filter Information] Filter Run-Time ID
`LayerName` UnicodeString	[Filter Information] Layer Name Known values `%%14596` IP Packet `%%14597` Transport `%%14598` Forward `%%14599` Stream `%%14600` Datagram Data `%%14601` ICMP Error `%%14602` MAC 802.3 `%%14603` MAC Native `%%14604` vSwitch `%%14608` Resource Assignment `%%14609` Listen `%%14610` Receive/Accept `%%14611` Connect `%%14612` Flow Established `%%14614` Resource Release `%%14615` Endpoint Closure `%%14616` Connect Redirect `%%14617` Bind Redirect `%%14624` Stream Packet `%%14625` Accept Redirect `%%14626` Accept Redirect `%%14640` ICMP Echo-Request `%%14641` vSwitch Ingress `%%14642` vSwitch Egress `%%14643` Unknown
`LayerRTID` UInt64	[Filter Information] Layer Run-Time ID
`RemoteUserID` SID	[Filter Information] Remote User ID
`RemoteMachineID` SID	[Filter Information] Remote Machine ID
`OriginalProfile` UnicodeString	[Filter Information] Original Profile
`CurrentProfile` UnicodeString	[Filter Information] Current Profile
`IsLoopback` UnicodeString	[Filter Information] Is Loopback
`HasRemoteDynamicKeywordAddress` UnicodeString	[Filter Information] Has Remote Dynamic Keyword Address

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5157,
    "version": 3,
    "level": 0,
    "task": 12810,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-11T06:32:07.887002+00:00",
    "event_record_id": 2461636,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 352
    },
    "channel": "Security",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProcessID": 6872,
    "Application": "\\device\\harddiskvolume4\\windows\\system32\\svchost.exe",
    "Direction": "%%14592",
    "SourceAddress": "172.18.253.78",
    "SourcePort": "37359",
    "DestAddress": "172.18.240.1",
    "DestPort": "53",
    "Protocol": 17,
    "InterfaceIndex": 12,
    "FilterOrigin": "Quarantine Default",
    "FilterRTID": 66241,
    "LayerName": "%%14610",
    "LayerRTID": 44,
    "RemoteUserID": "S-1-0-0",
    "RemoteMachineID": "S-1-0-0",
    "OriginalProfile": "%%14643",
    "CurrentProfile": "%%14643",
    "IsLoopback": "%%1826",
    "HasRemoteDynamicKeywordAddress": "%%1826"
  },
  "message": ""
}

Detection Patterns #

Asim Network Session Schema

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection

5 rules

Kusto Query Language

Remote Desktop Network Brute force (ASIM Network Session schema) (source)

Network Port Sweep from External Network (ASIM Network Session schema) (source)

Port scan detected (ASIM Network Session schema) (source)

Show 2 more (5 total)

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Command & Control: Application Layer Protocol

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection

2 rules

Kusto Query Language

Google Threat Intelligence - Threat Hunting IP (source)

Potential beaconing activity (ASIM Network Session schema) (source)

Defense Evasion: Disable or Modify System Firewall

Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5157: The Windows Filtering Platform has blocked a connection.

1 rule

Elastic

Potential Evasion via Windows Filtering Platform (source)

Elastic

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Filtering Platform Blocked Connection From EDR Agent Binary source high: Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection