detection.wiki

Microsoft-Windows-Security-Auditing › Event 5443

Event ID 5443 — The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Policy Change → Filtering Platform Policy Change
Collection Priority
Low (Microsoft-AppendixL)
Opcode
Info

Description

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

Message #

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
	
Provider ID: %1
Provider Name: %2
Provider Context ID: %3
Provider Context Name: %4
Provider Context Type: %5

Fields #

NameDescription
ProviderKey GUIDProvider ID
ProviderName UnicodeStringProvider Name
ProviderContextKey GUIDProvider Context ID
ProviderContextName UnicodeStringProvider Context Name
ProviderContextType UnicodeStringProvider Context Type

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5443,
    "version": 0,
    "level": 0,
    "task": 13572,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2022-04-04T13:11:16.631811+00:00",
    "event_record_id": 25502,
    "correlation": {
      "ActivityID": "7377737E-4825-0000-C974-77732548D801"
    },
    "execution": {
      "process_id": 612,
      "thread_id": 668
    },
    "channel": "Security",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ProviderKey": "DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62",
    "ProviderName": "Microsoft Corporation",
    "ProviderContextKey": "93132C36-6E06-4E6F-A10B-218787CD49CF",
    "ProviderContextName": "MPSSVC",
    "ProviderContextType": "%%16387"
  },
  "message": ""
}

References #