Microsoft-Windows-Windows Firewall With Advanced Security

170 events across 7 channels

Event ID	Title	Channel
2000	The following settings were applied to the Windows Defender Firewall at startup …	FirewallVerbose
2001	The following per profile settings were applied by Windows Defender Firewall …	FirewallVerbose
2002	A Windows Defender Firewall setting has changed.	Firewall
2003	A Windows Defender Firewall setting in the %1 profile has changed.	Firewall
2004	A rule has been added to the Windows Defender Firewall exception list.	Firewall
2005	A rule has been modified in the Windows Defender Firewall exception list.	Firewall
2006	A rule has been deleted in the Windows Defender Firewall exception list.	Firewall
2007	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2008	Windows Defender Firewall Group Policy settings have changed.	Firewall
2009	The Windows Defender Firewall service failed to load Group Policy.	Firewall
2010	Network profile changed on an interface.	Firewall
2011	Windows Defender Firewall was unable to notify the user that it blocked an …	Firewall
2012	A connection security rule was added to IPsec settings.	ConnectionSecurity
2013	A connection security rule was modified in IPsec settings.	ConnectionSecurity
2014	A connection security rule was deleted from IPsec settings.	ConnectionSecurity
2015	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2016	A main mode rule has been added in the IPsec settings.	ConnectionSecurity
2017	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity
2018	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity
2019	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2020	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity
2021	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity
2022	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity
2023	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2024	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity
2025	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity
2026	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity
2027	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2028	An authentication set has been added to IPsec settings.	ConnectionSecurity
2029	An authentication set has been modified in IPsec settings.	ConnectionSecurity
2030	An authentication set has been deleted from IPsec settings.	ConnectionSecurity
2031	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2032	Windows Defender Firewall has been reset to its default configuration.	Firewall
2033	All rules have been deleted from the Windows Defender Firewall configuration on …	Firewall
2034	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity
2035	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity
2036	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity
2037	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity
2038	Windows Defender Firewall did not apply the following rule because the rule was …	ConnectionSecurity
2039	Http Proxies Changed Reason: %1 All Proxies: %2 All Domain Proxies: %3 Group …	Network Isolation Operational
2040	Corp Subnets Changed Reason: %1 All Domain Subnets: %2 Group Policy Configured …	Network Isolation Operational
2041	Capability Changed Reason: %1 Capability: %2 Profile: %3 IP Range Definition: …	Network Isolation Operational
2042	Config Read Failed Config: %1 Error: %2.	System
2043	The Windows Firewall Service failed to initialize a component.	Firewall
2044	Added Dynamic Keyword Address.	Firewall
2045	Deleted Dynamic Keyword Address.	Firewall
2046	Updated Dynamic Keyword Address.	Firewall
2047	Tenant Restrictions Policy Update.	Firewall
2048	Added Dynamic Keyword Address.	Firewall
2049	Deleted Dynamic Keyword Address.	Firewall
2050	Updated Dynamic Keyword Address.	Firewall
2051		Operational
2051		Firewall
2052		Operational
2052		Firewall
2053		Operational
2053	A connection security rule was deleted from IPsec settings.	ConnectionSecurity
2054		Operational
2054	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity
2055		Operational
2055	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity
2056		Operational
2056	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity
2057		Operational
2057	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity
2058		Operational
2058	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity
2059		Operational
2059		Firewall
2060		Operational
2060	Windows Defender Firewall has been reset to its default configuration.	Firewall
2061		Operational
2061	A connection security rule was added to IPsec settings.	ConnectionSecurity
2062		Operational
2062	A connection security rule was modified in IPsec settings.	ConnectionSecurity
2063		Operational
2063	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2064		Operational
2064	An authentication set has been added to IPsec settings.	ConnectionSecurity
2065		Operational
2065	An authentication set has been modified in IPsec settings.	ConnectionSecurity
2066		Operational
2066	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2067		Operational
2067	An authentication set has been deleted from IPsec settings.	ConnectionSecurity
2068		Operational
2068	A main mode rule has been added in the IPsec settings.	ConnectionSecurity
2069		Operational
2069	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity
2070		Operational
2070	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2071		Operational
2071	A rule has been added to the Windows Defender Firewall exception list.	Firewall
2072		Operational
2072	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2073		Operational
2073	A rule has been modified in the Windows Defender Firewall exception list.	Firewall
2074		Operational
2074	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity
2075		Operational
2075	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity
2076		Operational
2076	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity
2077		Operational
2077	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity
2078		Operational
2078	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2079		Operational
2079	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity
2080		Operational
2080	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity
2081		Operational
2081	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2082		Operational
2082		Firewall
2083		Operational
2083		Firewall
2084		Operational
2084		Firewall
2085		Operational
2085	Created Hyper-V Port.	Firewall
2086		Operational
2086	Updated Hyper-V Port.	Firewall
2087		Operational
2087	Deleted Hyper-V Port.	Firewall
2088		Operational
2088	A Hyper-V Firewall VM Setting has changed.	Firewall
2089		Operational
2089	A Hyper-V Firewall VM Setting has reset.	Firewall
2090		Operational
2090	A Hyper-V rule has been added.	Firewall
2091		Operational
2091	A Hyper-V rule has been updated.	Firewall
2092		Operational
2092	A Hyper-V rule has been deleted.	Firewall
2093		Operational
2093	A error occured while initializing a Hyper-V port.	Firewall
2094		Operational
2094	A error occured while processing a Hyper-V rule.	Firewall
2095		Operational
2095	A Hyper-V VM Creator has been registered with the firewall service.	Firewall
2096		Operational
2096	A Hyper-V VM Creator has been unregistered with the firewall service.	Firewall
2097		Operational
2097		Firewall
2098		Operational
2098	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2099		Operational
2099		Firewall
2100	A proxy is being used with Network Isolation, and is listed as a cloud resource.	Operational
2101		Operational
2101	A Hyper-V Firewall Profile Setting has changed.	Firewall
2102		Operational
2102	A Hyper-V Firewall Profile Setting has reset.	Firewall
2103		Operational
2103	A commit of an atomic transaction failed.	Firewall
2104		Operational
2104	The commit of an add operation in CSP failed.	Firewall
2105		Operational
2105	The commit of an delete operation in CSP failed.	Firewall
2106		Operational
2106	The commit of a set operation in CSP failed.	Firewall
2107		Operational
2107	A rollback of an atomic transaction completed.	Firewall
2108		Operational
2108	The rollback of a delete operation completed.	Firewall
2109		Operational
2109	The rollback of an add operation completed.	Firewall
2110		Operational
2110	The rollback of a set operation completed.	Firewall

Event ID 2000 — The following settings were applied to the Windows Defender Firewall at startup Current Profile: %1 IPsec SA Idle time: %2 IPsec preshared key enco...

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Message

The following settings were applied to the Windows Defender Firewall at startup

	Current Profile:	%1
	IPsec SA Idle time:	%2
	IPsec preshared key encoding:	%3
	IPsec Exempt:	%4
	IPsec CRL Check:	%5
	IPsec Through NAT:	%6
	Policy Version Supported:	%7
	Policy Version:	%8
	Binary Version Supported:	%9
	Stateful FTP:	%10
	Group Policy Applied:	%11
	Remote Machine Authorization List:	%12
	Remote UserAuthorization List:	%13

Fields

Name	Description
`CurrentProfile`	—
`SAIdleTime`	—
`PresharedKeyEncoding`	—
`IPSecExempt`	—
`CrlCheck`	—
`IPSecThroughNAT`	—
`PolicyVersionSupported`	—
`PolicyVersion`	—
`BinaryVersionSupported`	—
`DisableStatefulFTP`	—
`GroupPolicyApplied`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EnableAuditMode`	—

Event ID 2001 — The following per profile settings were applied by Windows Defender Firewall Profile: %1 Operational Mode: %2 Stealth Mode: %3 Block all Incoming C...

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Message

The following per profile settings were applied by Windows Defender Firewall 

	Profile:	%1
	Operational Mode:	%2
	Stealth Mode:	%3
	Block all Incoming Connections:	%4
	Unicast response to multicast broadcast:	%5
	Log dropped packets:	%6
	Log successful connections:	%7
	Log ignored rules:	%8
	Inbound Notifications:	%9
	Allow Local Policy Merge:	%12
	Allow Local IPsec Policy Merge:	%13
	Default Outbound Action:	%14
	Default Inbound Action:	%15
	Remote Administration:	%16
	Stealth Mode IPsec Secured Packet Exemption:	%21
	Maximum Log file size:	%17
	Log File path:	%18
	Allow User preferred merge of Authorized Applications:	%10
	Allow User preferred merge of Globally open ports:	%11

Fields

Name	Description
`Profile`	—
`OpMode`	—
`DisableStealthMode`	—
`BlockAllInbound`	—
`DisableUnicastResponseToMultiCastBroadCast`	—
`LogDroppedPackets`	—
`LogSuccessfulConnections`	—
`LogIgnoredRules`	—
`DisableInboundNotifications`	—
`AllowUserPrefMergeForApps`	—
`AllowUserPrefMergeForGlobalPorts`	—
`AllowLocalPolicyMerge`	—
`AllowIPSecPolicyMerge`	—
`DefaultOutboundAction`	—
`DefaultInboundAction`	—
`RemoteAdministrationEnabled`	—
`MaxLogFileSize`	—
`LogFilePath`	—
`DisabledInterfacesSize`	—
`DisabledInterfaces`	—
`DisableStealthModeIPsecSecuredPacketExemption`	—

Event ID 2002 — A Windows Defender Firewall setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A Windows Defender Firewall setting has changed.

New Setting:
	Type:	%1
	Value:	%4
	Modifying User:	%6
	Modifying Application:	%7

Fields

Name	Description
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueDisplay`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:00:02.923110+00:00'
  event_record_id: 290
  correlation: {}
  execution:
    process_id: 1212
    thread_id: 2276
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  SettingType: 2
  SettingValueSize: 4
  SettingValue: '01000000'
  SettingValueDisplay: (null)
  Origin: 1
  ModifyingUser: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
  ModifyingApplication: ''
message: ''

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2003 — A Windows Defender Firewall setting in the %1 profile has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type:	%2
	Value:	%5
	Modifying User:	%7
	Modifying Application:	%8

Fields

Name	Description
`Profiles`	—
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueString`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: '{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}'
  event_source_name: ''
  event_id: 2003
  version: '0'
  level: '4'
  task: '0'
  opcode: '0'
  keywords: 9223372036854775808
  time_created: '2021-06-03T19:39:52.893086100Z'
  event_record_id: '912'
  correlation: {}
  execution:
    process_id: '1000'
    thread_id: '5464'
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: fs01.offsec.lan
  security:
    user_id: S-1-5-19
event_data:
  Profiles: '1'
  SettingType: '1'
  SettingValueSize: '4'
  SettingValue: '01000000'
  SettingValueString: 'Yes'
  Origin: '1'
  ModifyingUser: S-1-5-21-4230534742-2542757381-3142984815-1111
  ModifyingApplication: C:\Windows\System32\wbem\WmiPrvSE.exe

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 2004 — A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2022-04-07T17:06:55.849451+00:00'
  event_record_id: 173
  correlation: {}
  execution:
    process_id: 1928
    thread_id: 5436
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-19
event_data:
  RuleId: ADDS-NB-Datagram-UDP-In
  RuleName: Active Directory Domain Controller - NetBIOS name resolution (UDP-In)
  Origin: 1
  ApplicationPath: System
  ServiceName: ''
  Direction: 1
  Protocol: 17
  LocalPorts: '138'
  RemotePorts: '*'
  Action: 3
  Profiles: 2147483647
  LocalAddresses: '*'
  RemoteAddresses: '*'
  RemoteMachineAuthorizationList: ''
  RemoteUserAuthorizationList: ''
  EmbeddedContext: '@FirewallAPI.dll,-37601'
  Flags: 1
  Active: 1
  EdgeTraversal: 0
  LooseSourceMapped: 0
  SecurityOptions: 0
  ModifyingUser: S-1-5-18
  ModifyingApplication: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\TiWorker.exe
  SchemaVersion: 543
  RuleStatus: 65536
  LocalOnlyMapped: 0
message: ''

Sigma Rules

Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

References

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364408(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2005 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2005
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2022-04-07T17:07:00.091207+00:00'
  event_record_id: 189
  correlation: {}
  execution:
    process_id: 1928
    thread_id: 1948
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-19
event_data:
  RuleId: FPS-SpoolSvc-In-TCP
  RuleName: File and Printer Sharing (Spooler Service - RPC)
  Origin: 1
  ApplicationPath: C:\Windows\system32\spoolsv.exe
  ServiceName: Spooler
  Direction: 1
  Protocol: 6
  LocalPorts: RPC
  RemotePorts: '*'
  Action: 3
  Profiles: 7
  LocalAddresses: '*'
  RemoteAddresses: '*'
  RemoteMachineAuthorizationList: ''
  RemoteUserAuthorizationList: ''
  EmbeddedContext: '@FirewallAPI.dll,-28502'
  Flags: 1
  Active: 1
  EdgeTraversal: 0
  LooseSourceMapped: 0
  SecurityOptions: 0
  ModifyingUser: S-1-5-18
  ModifyingApplication: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\TiWorker.exe
  SchemaVersion: 543
  RuleStatus: 65536
  LocalOnlyMapped: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2006 — A rule has been deleted in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2006
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2022-04-04T08:05:47.030869+00:00'
  event_record_id: 275
  correlation: {}
  execution:
    process_id: 1320
    thread_id: 5056
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-19
event_data:
  RuleId: '{731057A4-5875-4405-ACE3-4C0DD0043413}'
  RuleName: WinDefend Outbound for TCP
  ModifyingUser: S-1-5-18
  ModifyingApplication: C:\Program Files\Windows Defender\MsMpEng.exe
message: ''

Sigma Rules

A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2007 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Message

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—

Event ID 2008 — Windows Defender Firewall Group Policy settings have changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Windows Defender Firewall Group Policy settings have changed. The new settings have been applied

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2008
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:50:01.847874+00:00'
  event_record_id: 1250
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 9248
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2009 — The Windows Defender Firewall service failed to load Group Policy.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The Windows Defender Firewall service failed to load Group Policy.
Error:	%1

Fields

Name	Description
`ErrorCode`	—

Sigma Rules

The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy

Event ID 2010 — Network profile changed on an interface.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Network profile changed on an interface.

Adapter GUID:	%1
Adapter Name:	%2
Old Profile:	%3
New Profile:	%4

Fields

Name	Description
`InterfaceGuid`	—
`InterfaceName`	—
`OldProfile`	—
`NewProfile`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2010
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:51.427999+00:00'
  event_record_id: 719
  correlation: {}
  execution:
    process_id: 3344
    thread_id: 3844
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  InterfaceGuid: 8E4162AD-6500-4899-BA95-24051405E207
  InterfaceName: ethernet_32769
  OldProfile: 2147483649
  NewProfile: 4
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2011 — Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason:		%1
Application Path:	%2
IP Version:	%3
Protocol:	%4
Port:		%5
Process Id:	%6
User:		%7

Fields

Name	Description
`ReasonCode`	—
`ApplicationPath`	—
`IPVersion`	—
`Protocol`	—
`Port`	—
`ProcessId`	—
`ModifyingUser`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2011
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:12:17.921409+00:00'
  event_record_id: 258
  correlation: {}
  execution:
    process_id: 1928
    thread_id: 2428
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-19
event_data:
  ReasonCode: 64
  ApplicationPath: C:\windows\system32\dns.exe
  IPVersion: 1
  Protocol: 17
  Port: 53
  ProcessId: 2208
  ModifyingUser: S-1-5-18
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2012 — A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was added to IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2013 — A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was modified in IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2014 — A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2015 — A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2016 — A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been added in the IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2017 — A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been modified in the IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2018 — A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2019 — A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2020 — A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2021 — A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2022 — A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2023 — A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2024 — A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2025 — A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2026 — A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2027 — A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2028 — An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2029 — An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2030 — An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`IPsecPhase`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2031 — An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—

Event ID 2032 — Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser:	%1
	ModifyingApplication:	%2

Fields

Name	Description
`ModifyingUser`	—
`ModifyingApplication`	—

Sigma Rules

Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration

Event ID 2033 — All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Sigma Rules

All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Event ID 2034 — All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2035 — All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2036 — All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase:	%1
	Store Type:	%2
	ModifyingUser:	%3
	ModifyingApplication:	%4

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2037 — All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase:	%1
	Store Type:	%2
	ModifyingUser:	%3
	ModifyingApplication:	%4

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2038 — Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer: Rule Information: ID: %1 ...

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer:

Rule Information:
	ID:	%1
	Name:	%2

Error Information:
	Reason:	%3

Fields

Name	Description
`ID`	—
`Name`	—
`Reason`	—
`RuleStatus`	—

Event ID 2039 — Http Proxies Changed Reason: %1 All Proxies: %2 All Domain Proxies: %3 Group Policy Configured Domain Proxies: %4 Group Policy Configured Local Pro...

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: 4
Samples: 1

Message

Http Proxies Changed

Reason: 	%1

All Proxies:	%2

All Domain Proxies:	%3

Group Policy Configured Domain Proxies:	%4

Group Policy Configured Local Proxies:	%5

All DA Nat64 Domain Proxies:	%6

Group Policy is authoritative:	%7

Fields

Name	Description
`ChangeType`	—
`All Proxies`	—
`All Domain Proxies`	—
`GP Configured Domain Proxies`	—
`GP Configured Local Proxies`	—
`All DA Nat64 Proxies`	—
`GP Is Authoritative`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2039
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423504
  time_created: '2023-11-05T23:50:01.858901+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 9248
  channel: Network Isolation Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ChangeType: 0
  All Proxies: '*'
  All Domain Proxies: '*'
  GP Configured Domain Proxies: '*'
  GP Configured Local Proxies: '*'
  All DA Nat64 Proxies: '*'
  GP Is Authoritative: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2040 — Corp Subnets Changed Reason: %1 All Domain Subnets: %2 Group Policy Configured Domain Subnets: %3 All DA Nat64 Domain Subnets: %4 Group Policy is a...

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational

Message

Corp Subnets Changed

Reason: 	%1

All Domain Subnets:	%2

Group Policy Configured Domain Subnets:	%3

All DA Nat64 Domain Subnets:	%4

Group Policy is authoritative:	%5

Fields

Name	Description
`ChangeType`	—
`AllDomainProxies`	—
`GPConfiguredDomainSubnets`	—
`AllDANat64DomainSubnets`	—
`GPIsAuthoritative`	—

Event ID 2041 — Capability Changed Reason: %1 Capability: %2 Profile: %3 IP Range Definition: %4.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: 4
Samples: 1

Message

Capability Changed

Reason: 	%1

Capability:	%2
Profile:	%3
IP Range Definition:	%4

Fields

Name	Description
`ChangeType`	—
`Capability`	—
`Profile`	—
`IP Range Definition`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2041
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423504
  time_created: '2023-11-05T23:50:49.936008+00:00'
  event_record_id: 6
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 3800
  channel: Network Isolation Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ChangeType: 3
  Capability: 0
  Profile: 4
  IP Range Definition: 0.0.0.0-255.255.255.255,::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2042 — Config Read Failed Config: %1 Error: %2.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: System

Message

Config Read Failed

Config:	%1
Error:	%2

Fields

Name	Description
`SettingType`	—
`ErrorCode`	—

Event ID 2043 — The Windows Firewall Service failed to initialize a component.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The Windows Firewall Service failed to initialize a component. Some policies may not be fully enforced. 

Component Name:	%1
Error Code:	%2

Fields

Name	Description
`ComponentName`	—
`ErrorCode`	—

Event ID 2044 — Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Added Dynamic Keyword Address.

Error Code:	%1
Id:	%2
Keyword:	%3
Addresses	%4
AutoResolve:	%5

Fields

Name	Description
`ErrorCode`	—
`Id`	—
`Keyword`	—
`Addresses`	—
`AutoResolve`	—

Event ID 2045 — Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Deleted Dynamic Keyword Address.

Error Code:	%1
Id:	%2

Fields

Name	Description
`ErrorCode`	—
`Id`	—

Event ID 2046 — Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Updated Dynamic Keyword Address.

Error Code:	%1
Id:	%2
Append:	%3
Previous Addresses:	%4
Addresses to update:	%5
Updated Addresses	%6

Fields

Name	Description
`ErrorCode`	—
`Id`	—
`Append`	—
`PreviousAddresses`	—
`AddressesToUpdate`	—
`UpdatedAddresses`	—

Event ID 2047 — Tenant Restrictions Policy Update.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Tenant Restrictions Policy Update.

Error code:	%1
Old Addresses:	%2
New Addresses:	%3

Fields

Name	Description
`ErrorCode`	—
`PreviousAddresses`	—
`UpdatedAddresses`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2047
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:34:38.294357+00:00'
  event_record_id: 292
  correlation: {}
  execution:
    process_id: 1212
    thread_id: 3732
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  ErrorCode: 0
  PreviousAddresses: ''
  UpdatedAddresses: ''
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2048 — Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Added Dynamic Keyword Address.

Error Code:	%1
Id:	%2
Keyword:	%3
Addresses	%4
AutoResolve:	%5

Fields

Name	Description
`ErrorCode`	—
`Id`	—
`Keyword`	—
`Addresses`	—
`AutoResolve`	—

Event ID 2049 — Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Deleted Dynamic Keyword Address.

Error Code:	%1
Id:	%2

Fields

Name	Description
`ErrorCode`	—
`Id`	—

Event ID 2050 — Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Updated Dynamic Keyword Address.

Error Code:	%1
Id:	%2
Append:	%3
Previous Addresses:	%4
Addresses to update:	%5
Updated Addresses	%6

Fields

Name	Description
`ErrorCode`	—
`Id`	—
`Append`	—
`PreviousAddresses`	—
`AddressesToUpdate`	—
`UpdatedAddresses`	—

Event ID 2051 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`PolicyChange`	—

Event ID 2051 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Tenant Restrictions Policy Update

Error code:	%1
Policy Change:	%2

Fields

Name	Description
`ErrorCode`	—
`PolicyChange`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2051
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:51.342732+00:00'
  event_record_id: 717
  correlation: {}
  execution:
    process_id: 3344
    thread_id: 3768
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ErrorCode: 0
  PolicyChange: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2052 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

Event ID 2052 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%5

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2052
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2023-11-06T01:42:34.475801+00:00'
  event_record_id: 1314
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 16976
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  RuleId: '{7F9A364D-0AAE-43ED-A6D1-8D400D83CF18}'
  RuleName: WindowsAppRuntime.1.2
  ModifyingUser: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
  ModifyingApplication: C:\Windows\System32\svchost.exe
  ErrorCode: 0
message: ''

Sigma Rules

A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2053 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2053 — A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%5

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2054 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2054 — A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%5

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2055 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2055 — A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%5

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2056 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2056 — A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%5

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2057 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2057 — All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3
	Error Code:	%4

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2058 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2058 — All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3
	Error Code:	%4

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2059 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

Event ID 2059 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type:	%1
	ModifyingUser:	%2
	ModifyingApplication:	%3
	Error Code:	%4

Fields

Name	Description
`Store Type`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2059
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:51.342184+00:00'
  event_record_id: 716
  correlation: {}
  execution:
    process_id: 3344
    thread_id: 3768
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  Store Type: 12
  ModifyingUser: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
  ModifyingApplication: C:\Windows\System32\svchost.exe
  ErrorCode: 0
message: ''

Sigma Rules

All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2060 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration

Event ID 2060 — Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser:	%1
	ModifyingApplication:	%2
	Error Code:	%3

Fields

Name	Description
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration

Event ID 2061 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2061 — A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was added to IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27
	Error Code:	%30

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2062 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2062 — A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A connection security rule was modified in IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27
	Error Code:	%30

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2063 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2063 — A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%4
	Protocol:	%5
	EndPoint1Ports:	%6
	EndPoint2Ports:	%7
	LocalTunnelEndpointV4:	%8
	LocalTunnelEndpointV6:	%9
	RemoteTunnelEndpointV4:	%10
	RemoteTunnelEndpointV6:	%11
	Phase1AuthSetId:	%12
	Phase2AuthSetId:	%13
	Phase2CryptoSetId:	%14
	Action:	%15
	Profiles:	%16
	LocalAddresses:	%17
	RemoteAddresses:	%18
	EmbeddedContext:	%20
	IsDTM:	%22
	ApplyAuthZ:	%23
	BypassTunnelIfEncrypted:	%24
	NoIPSecOnOutbound:	%25
	ModifyingUser:	%26
	ModifyingApplication:	%27n	Error Code:	%30

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`Active`	—
`Protocol`	—
`Endpoint1Ports`	—
`Endpoint2Ports`	—
`LocalTunnelEndpointV4`	—
`LocalTunnelEndpointV6`	—
`RemoteTunnelEndpointV4`	—
`RemoteTunnelEndpointV6`	—
`Phase1AuthSetId`	—
`Phase2AuthSetId`	—
`Phase2CryptoSetId`	—
`Action`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`MMParentRuleId`	—
`EmbeddedContext`	—
`Flags`	—
`IsDTM`	—
`ApplyAuthZ`	—
`BypassTunnelIfEncrypted`	—
`NoIPSecOnOutbound`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2064 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2064 — An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2065 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2065 — An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2066 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2066 — An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	IPsec Phase:	%3
	Origin:	%5
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`IPsecPhase`	—
`EmbeddedContext`	—
`Origin`	—
`AuthSetFlags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`AuthenticationSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2067 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`IPsecPhase`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2067 — An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID:	%1
	Rule Name:	%2
	Modifying User:	%3
	Modifying Application:	%4
	Error Code:	%6

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`IPsecPhase`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2068 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2068 — A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been added in the IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2069 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2069 — A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A main mode rule has been modified in the IPsec settings.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2070 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2070 — A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID:	%1
	Rule Name:	%2
	Profiles:	%3
	Endpoint1:	%4
	Endpoint2:	%5
	Phase1AuthSetId:	%6
	Phase1CryptoSetId:	%7
	Flags:	%8
	Active:	%9
	EmbeddedContext:	%10
	Origin:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Profiles`	—
`Endpoint1`	—
`Endpoint2`	—
`Phase1AuthSetId`	—
`Phase1CryptoSetId`	—
`Flags`	—
`Active`	—
`EmbeddedContext`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2071 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Sigma Rules

Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Event ID 2071 — A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23
	Error Code:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Sigma Rules

Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Event ID 2072 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Event ID 2072 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Message

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Error Code:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Event ID 2073 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Event ID 2073 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23
	Error Code:	%27

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`ErrorCode`	—

Event ID 2074 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2074 — All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase:	%1
	Store Type:	%2
	ModifyingUser:	%3
	ModifyingApplication:	%4
	Error Code:	%5

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2075 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2075 — All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase:	%1
	Store Type:	%2
	ModifyingUser:	%3
	ModifyingApplication:	%4
	Error Code:	%5

Fields

Name	Description
`IPsecPhase`	—
`StoreType`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Event ID 2076 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2076 — A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2077 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2077 — A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 1 crypto set was modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2078 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2078 — A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Flags:	%6
	NumSuites:	%7
	TimeOutMinutes:	%10
	TimeOutSessions:	%11
	ModifyingUser:	%12
	ModifyingApplication:	%13
	Error Code:	%16

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Flags`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`TimeOutMinutes`	—
`TimeOutSessions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2079 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2079 — A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was added to IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2080 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2080 — A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity

Message

A phase 2 crypto set was modified in IPsec settings.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2081 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2081 — A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose

Message

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID:	%1
	Set Name:	%2
	Origin:	%4
	Pfs:	%6
	NumSuites:	%7
	ModifyingUser:	%10
	ModifyingApplication:	%11
	Error Code:	%14

Fields

Name	Description
`SetId`	—
`SetName`	—
`EmbeddedContext`	—
`Origin`	—
`CryptoSetFlags`	—
`Pfs`	—
`NumSuites`	—
`SuitesBinaryLength`	—
`CryptoSuites`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`ErrorCode`	—

Event ID 2082 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`Profiles`	—
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueString`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

Event ID 2082 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type:	%2
	Value:	%5
	Modifying User:	%7
	Modifying Application:	%8
	Error Code:	%9

Fields

Name	Description
`Profiles`	—
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueString`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2082
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:14:24.218884+00:00'
  event_record_id: 1270
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 8508
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  Profiles: 1
  SettingType: 3
  SettingValueSize: 4
  SettingValue: '00000000'
  SettingValueString: 'No'
  Origin: 1
  ModifyingUser: S-1-5-18
  ModifyingApplication: C:\Program Files (x86)\Avira\Antivirus\ccuac.exe
  ErrorCode: 0
message: ''

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2083 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueDisplay`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

Event ID 2083 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A Windows Defender Firewall setting has changed.

New Setting:
	Type:	%1
	Value:	%4
	Modifying User:	%6
	Modifying Application:	%7
	Error Code:	%8

Fields

Name	Description
`SettingType`	—
`SettingValueSize`	—
`SettingValue`	—
`SettingValueDisplay`	—
`Origin`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2083
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-10-25T22:52:38.271525+00:00'
  event_record_id: 650
  correlation: {}
  execution:
    process_id: 2884
    thread_id: 4496
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  SettingType: 2
  SettingValueSize: 4
  SettingValue: '06000000'
  SettingValueDisplay: (null),(null)
  Origin: 1
  ModifyingUser: S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052
  ModifyingApplication: ''
  ErrorCode: 0
message: ''

Sigma Rules

Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2084 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—

Event ID 2084 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

Added a Duplicate Rule

Rule Name:	%1

Fields

Name	Description
`RuleName`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2084
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:51.051278+00:00'
  event_record_id: 715
  correlation: {}
  execution:
    process_id: 3344
    thread_id: 3768
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  RuleName: '@{Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsTerminal/Resources/AppStoreName}'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2085 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—
`VMCreatorId`	—
`InterfaceGUID`	—
`PartitionGUID`	—
`Constrained`	—

Event ID 2085 — Created Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Created Hyper-V Port.

Error code:	%1
Activity GUID:	%2
Switch Name:	%3
Port Name:	%4
VM Creator ID:	%5
Interface GUID:	%6
Partition GUID:	%7
Constrained:	%8

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—
`VMCreatorId`	—
`InterfaceGUID`	—
`PartitionGUID`	—
`Constrained`	—

Event ID 2086 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—
`VMCreatorId`	—
`InterfaceGUID`	—
`PartitionGUID`	—
`Constrained`	—

Event ID 2086 — Updated Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Updated Hyper-V Port.

Error code:	%1
Activity GUID:	%2
Switch Name:	%3
Port Name:	%4
VM Creator ID:	%5
Interface GUID:	%6
Partition GUID:	%7
Constrained:	%8

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—
`VMCreatorId`	—
`InterfaceGUID`	—
`PartitionGUID`	—
`Constrained`	—

Event ID 2087 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—

Event ID 2087 — Deleted Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

Deleted Hyper-V Port.

Error code:	%1
Activity GUID:	%2
Switch Name:	%3
Port Name:	%4

Fields

Name	Description
`ErrorCode`	—
`ActivityGUID`	—
`SwitchName`	—
`PortName`	—

Event ID 2088 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`VMCreatorId`	—
`VMConfig`	—
`Value`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2088 — A Hyper-V Firewall VM Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V Firewall VM Setting has changed.
Error Code:	%1
Origin:	%2
VM Creator ID:	%3
Setting:	%4
	Value:	%5
	Modifying User:	%6
	Modifying Application:	%7

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`VMCreatorId`	—
`VMConfig`	—
`Value`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2089 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`VMCreatorId`	—
`VMConfig`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2089 — A Hyper-V Firewall VM Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V Firewall VM Setting has reset.
Error Code:	%1
Origin:	%2
VM Creator ID:	%3
Setting:	%4
Modifying User:	%5
	Modifying Application:	%6

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`VMCreatorId`	—
`VMConfig`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2090 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`RuleName`	—
`VMCreatorId`	—
`Priority`	—
`Direction`	—
`Action`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`Active`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2090 — A Hyper-V rule has been added.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V rule has been added.

Error Code:	%1
Origin:	%2
Rule ID:	%3
Rule Name:	%4
VM Creator ID:	%5
Priority:	%6
Direction:	%7
Action:	%8
Protocol:	%9
Local Ports:	%10
Remote Ports:	%11
Local Addresses:	%12
Remote Addresses:	%13
Active:	%14
Modifying User:	%15
	Modifying Application:	%16

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`RuleName`	—
`VMCreatorId`	—
`Priority`	—
`Direction`	—
`Action`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`Active`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2091 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`RuleName`	—
`VMCreatorId`	—
`Priority`	—
`Direction`	—
`Action`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`Active`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2091 — A Hyper-V rule has been updated.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V rule has been updated.

Error Code:	%1
Origin:	%2
Rule ID:	%3
Rule Name:	%4
VM Creator ID:	%5
Priority:	%6
Direction:	%7
Action:	%8
Protocol:	%9
Local Ports:	%10
Remote Ports:	%11
Local Addresses:	%12
Remote Addresses:	%13
Active:	%14
Modifying User:	%15
	Modifying Application:	%16

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`RuleName`	—
`VMCreatorId`	—
`Priority`	—
`Direction`	—
`Action`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`Active`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2092 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2092 — A Hyper-V rule has been deleted.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V rule has been deleted.

Error Code:	%1
Origin:	%2
Rule ID:	%3
Modifying User:	%4
	Modifying Application:	%5

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`RuleID`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2093 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`SwitchName`	—
`PortName`	—

Event ID 2093 — A error occured while initializing a Hyper-V port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Error Code:	%1
Switch Name:	%2
Port Name:	%3

Fields

Name	Description
`ErrorCode`	—
`SwitchName`	—
`PortName`	—

Event ID 2094 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`RuleOperation`	—
`RuleID`	—
`StoreType`	—

Event ID 2094 — A error occured while processing a Hyper-V rule.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Error Code:	%1
Rule Operation:	%2
Rule ID:	%3
Origin	%4

Fields

Name	Description
`ErrorCode`	—
`RuleOperation`	—
`RuleID`	—
`StoreType`	—

Event ID 2095 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`VMCreatorId`	—
`FriendlyName`	—

Event ID 2095 — A Hyper-V VM Creator has been registered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V VM Creator has been registered with the firewall service.

Error Code:	%1
Id:	%2
Friendly Name:	%3

Fields

Name	Description
`ErrorCode`	—
`VMCreatorId`	—
`FriendlyName`	—

Event ID 2096 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`VMCreatorId`	—

Event ID 2096 — A Hyper-V VM Creator has been unregistered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V VM Creator has been unregistered with the firewall service.

Error Code:	%1
Id:	%2

Fields

Name	Description
`ErrorCode`	—
`VMCreatorId`	—

Event ID 2097 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Sigma Rules

Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Event ID 2097 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23
	PolicyAppId:	%27
	Error Code:	%28

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2097
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2023-11-06T01:44:15.909142+00:00'
  event_record_id: 1322
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 22016
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  RuleId: '{F12880D2-1AF5-4F03-AB63-8FEB63B400D0}'
  RuleName: Microsoft Teams
  Origin: 1
  ApplicationPath: C:\Program Files\WindowsApps\MicrosoftTeams_23275.702.2421.2406_x64__8wekyb3d8bbwe\msteams.exe
  ServiceName: ''
  Direction: 1
  Protocol: 17
  LocalPorts: '*'
  RemotePorts: '*'
  Action: 3
  Profiles: 2147483647
  LocalAddresses: '*'
  RemoteAddresses: '*'
  RemoteMachineAuthorizationList: ''
  RemoteUserAuthorizationList: ''
  EmbeddedContext: '{78E1CD88-49E3-476E-B926-580E596AD309}'
  Flags: 1
  Active: 1
  EdgeTraversal: 0
  LooseSourceMapped: 0
  SecurityOptions: 0
  ModifyingUser: S-1-5-18
  ModifyingApplication: C:\Windows\System32\svchost.exe
  SchemaVersion: 543
  RuleStatus: 65536
  LocalOnlyMapped: 0
  PolicyAppId: ''
  ErrorCode: 0
message: ''

Sigma Rules

Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2098 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Event ID 2098 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Message

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	PolicyAppId:	%27
	Error Code:	%28

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Event ID 2099 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Event ID 2099 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: 4
Samples: 1

Message

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID:	%1
	Rule Name:	%2
	Origin:	%3
	Active:	%18
	Direction:	%6
	Profiles:	%11
	Action:	%10
	Application Path:	%4
	Service Name:	%5
	Protocol:	%7
	Security Options:	%21
	Edge Traversal:	%19
	Modifying User:	%22
	Modifying Application:	%23
	PolicyAppId:	%27
	Error Code:	%28

Fields

Name	Description
`RuleId`	—
`RuleName`	—
`Origin`	—
`ApplicationPath`	—
`ServiceName`	—
`Direction`	—
`Protocol`	—
`LocalPorts`	—
`RemotePorts`	—
`Action`	—
`Profiles`	—
`LocalAddresses`	—
`RemoteAddresses`	—
`RemoteMachineAuthorizationList`	—
`RemoteUserAuthorizationList`	—
`EmbeddedContext`	—
`Flags`	—
`Active`	—
`EdgeTraversal`	—
`LooseSourceMapped`	—
`SecurityOptions`	—
`ModifyingUser`	—
`ModifyingApplication`	—
`SchemaVersion`	—
`RuleStatus`	—
`LocalOnlyMapped`	—
`PolicyAppId`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-Windows Firewall With Advanced Security
  guid: D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85
  event_source_name: ''
  event_id: 2099
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223374235878031360
  time_created: '2023-11-06T01:00:42.526564+00:00'
  event_record_id: 1285
  correlation: {}
  execution:
    process_id: 2896
    thread_id: 18012
  channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  RuleId: '{C4847D55-2E11-4510-9513-51B82576049A}'
  RuleName: Teamviewer Remote Control Service
  Origin: 0
  ApplicationPath: C:\Program Files\TeamViewer\TeamViewer_Service.exe
  ServiceName: ''
  Direction: 1
  Protocol: 17
  LocalPorts: '*'
  RemotePorts: '*'
  Action: 3
  Profiles: 4
  LocalAddresses: '*'
  RemoteAddresses: '*'
  RemoteMachineAuthorizationList: ''
  RemoteUserAuthorizationList: ''
  EmbeddedContext: ''
  Flags: 1
  Active: 1
  EdgeTraversal: 0
  LooseSourceMapped: 0
  SecurityOptions: 0
  ModifyingUser: S-1-5-21-1992711665-1655669231-58201500-1000
  ModifyingApplication: C:\Users\User\AppData\Local\Temp\cdd35c3a-7c34-11ee-936c-000c293379ba\TeamViewer_.exe
  SchemaVersion: 543
  RuleStatus: 65536
  LocalOnlyMapped: 0
  PolicyAppId: ''
  ErrorCode: 2
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2100 — A proxy is being used with Network Isolation, and is listed as a cloud resource.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Message

A proxy is being used with Network Isolation, and is listed as a cloud resource. Network connectivity will be affected. 

 Remove the domain of the proxy from the Network Isolation policy. 

 Proxy Name:	%1

Fields

Name	Description
`ProxyName`	—

Event ID 2101 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`ProfileType`	—
`VMCreatorId`	—
`ProfileConfig`	—
`Value`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2101 — A Hyper-V Firewall Profile Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V Firewall Profile Setting has changed.
Error Code:	%1
Origin:	%2
Profile Type:	%3
VM Creator ID:	%4
Setting:	%5
	Value:	%6
	Modifying User:	%7
	Modifying Application:	%8

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`ProfileType`	—
`VMCreatorId`	—
`ProfileConfig`	—
`Value`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2102 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`ProfileType`	—
`VMCreatorId`	—
`ProfileConfig`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2102 — A Hyper-V Firewall Profile Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A Hyper-V Firewall Profile Setting has reset.
Error Code:	%1
Origin:	%2
Profile Type:	%3
VM Creator ID:	%4
Setting:	%5
Modifying User:	%6
	Modifying Application:	%7

Fields

Name	Description
`ErrorCode`	—
`StoreType`	—
`ProfileType`	—
`VMCreatorId`	—
`ProfileConfig`	—
`ModifyingUser`	—
`ModifyingApplication`	—

Event ID 2103 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—

Event ID 2103 — A commit of an atomic transaction failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A commit of an atomic transaction failed. Rollback will begin.

Error Code:	%1

Fields

Name	Description
`ErrorCode`	—

Event ID 2104 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2104 — The commit of an add operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The commit of an add operation in CSP failed. 

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2105 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2105 — The commit of an delete operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The commit of an delete operation in CSP failed. 

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2106 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2106 — The commit of a set operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The commit of a set operation in CSP failed. 

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2107 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`ErrorCode`	—

Event ID 2107 — A rollback of an atomic transaction completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

A rollback of an atomic transaction completed.

Error Code:	%1

Fields

Name	Description
`ErrorCode`	—

Event ID 2108 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2108 — The rollback of a delete operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2109 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2109 — The rollback of an add operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2110 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 2110 — The rollback of a set operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Message

The rollback of a set operation completed. The rollback of a set is re-setting the previous values. 

Rule name:	%1
Error Code:	%2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—