Microsoft-Windows-Windows Firewall With Advanced Security

171 events across 8 channels

Event ID	Title	Channel
0		FirewallDiagnostics
2000	The following settings were applied to the Windows Defender Firewall at startup.	FirewallVerbose
2001	The following per profile settings were applied by Windows Defender Firewall.	FirewallVerbose
2002	A Windows Defender Firewall setting has changed.	Firewall
2003	A Windows Defender Firewall setting in the Profiles profile has changed.	Firewall
2004	A rule has been added to the Windows Defender Firewall exception list.	Firewall
2005	A rule has been modified in the Windows Defender Firewall exception list.	Firewall
2006	A rule has been deleted in the Windows Defender Firewall exception list.	Firewall
2007	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2008	Windows Defender Firewall Group Policy settings have changed.	Firewall
2009	The Windows Defender Firewall service failed to load Group Policy.	Firewall
2010	Network profile changed on an interface.	Firewall
2011	Windows Defender Firewall was unable to notify the user that it blocked an …	Firewall
2012	A connection security rule was added to IPsec settings.	ConnectionSecurity
2013	A connection security rule was modified in IPsec settings.	ConnectionSecurity
2014	A connection security rule was deleted from IPsec settings.	ConnectionSecurity
2015	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2016	A main mode rule has been added in the IPsec settings.	ConnectionSecurity
2017	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity
2018	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity
2019	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2020	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity
2021	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity
2022	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity
2023	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2024	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity
2025	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity
2026	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity
2027	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2028	An authentication set has been added to IPsec settings.	ConnectionSecurity
2029	An authentication set has been modified in IPsec settings.	ConnectionSecurity
2030	An authentication set has been deleted from IPsec settings.	ConnectionSecurity
2031	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2032	Windows Defender Firewall has been reset to its default configuration.	Firewall
2033	All rules have been deleted from the Windows Defender Firewall configuration on …	Firewall
2034	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity
2035	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity
2036	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity
2037	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity
2038	Windows Defender Firewall did not apply the following rule because the rule was …	ConnectionSecurity
2039	Http Proxies Changed.	Network Isolation Operational
2040	Corp Subnets Changed.	Network Isolation Operational
2041	Capability Changed.	Network Isolation Operational
2042	Config Read Failed.	System
2043	The Windows Firewall Service failed to initialize a component.	Firewall
2044	Added Dynamic Keyword Address.	Firewall
2045	Deleted Dynamic Keyword Address.	Firewall
2046	Updated Dynamic Keyword Address.	Firewall
2047	Tenant Restrictions Policy Update.	Firewall
2048	Added Dynamic Keyword Address.	Firewall
2049	Deleted Dynamic Keyword Address.	Firewall
2050	Updated Dynamic Keyword Address.	Firewall
2051	Tenant Restrictions Policy Update.	Firewall
2051		Operational
2052	A rule has been deleted in the Windows Defender Firewall exception list.	Firewall
2052		Operational
2053	A connection security rule was deleted from IPsec settings.	ConnectionSecurity
2053		Operational
2054	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity
2054		Operational
2055	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity
2055		Operational
2056	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity
2056		Operational
2057	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity
2057		Operational
2058	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity
2058		Operational
2059	All rules have been deleted from the Windows Defender Firewall configuration on …	Firewall
2059		Operational
2060	Windows Defender Firewall has been reset to its default configuration.	Firewall
2060		Operational
2061	A connection security rule was added to IPsec settings.	ConnectionSecurity
2061		Operational
2062	A connection security rule was modified in IPsec settings.	ConnectionSecurity
2062		Operational
2063	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2063		Operational
2064	An authentication set has been added to IPsec settings.	ConnectionSecurity
2064		Operational
2065	An authentication set has been modified in IPsec settings.	ConnectionSecurity
2065		Operational
2066	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose
2066		Operational
2067	An authentication set has been deleted from IPsec settings.	ConnectionSecurity
2067		Operational
2068	A main mode rule has been added in the IPsec settings.	ConnectionSecurity
2068		Operational
2069	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity
2069		Operational
2070	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2070		Operational
2071	A rule has been added to the Windows Defender Firewall exception list.	Firewall
2071		Operational
2072	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2072		Operational
2073	A rule has been modified in the Windows Defender Firewall exception list.	Firewall
2073		Operational
2074	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity
2074		Operational
2075	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity
2075		Operational
2076	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity
2076		Operational
2077	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity
2077		Operational
2078	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2078		Operational
2079	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity
2079		Operational
2080	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity
2080		Operational
2081	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose
2081		Operational
2082	A Windows Defender Firewall setting in the Profiles profile has changed.	Firewall
2082		Operational
2083	A Windows Defender Firewall setting has changed.	Firewall
2083		Operational
2084	Added a Duplicate Rule.	Firewall
2084		Operational
2085	Created Hyper-V Port.	Firewall
2085		Operational
2086	Updated Hyper-V Port.	Firewall
2086		Operational
2087	Deleted Hyper-V Port.	Firewall
2087		Operational
2088	A Hyper-V Firewall VM Setting has changed.	Firewall
2088		Operational
2089	A Hyper-V Firewall VM Setting has reset.	Firewall
2089		Operational
2090	A Hyper-V rule has been added.	Firewall
2090		Operational
2091	A Hyper-V rule has been updated.	Firewall
2091		Operational
2092	A Hyper-V rule has been deleted.	Firewall
2092		Operational
2093	A error occured while initializing a Hyper-V port.	Firewall
2093		Operational
2094	A error occured while processing a Hyper-V rule.	Firewall
2094		Operational
2095	A Hyper-V VM Creator has been registered with the firewall service.	Firewall
2095		Operational
2096	A Hyper-V VM Creator has been unregistered with the firewall service.	Firewall
2096		Operational
2097	A rule has been added to the Windows Defender Firewall exception list.	Firewall
2097		Operational
2098	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose
2098		Operational
2099	A rule has been modified in the Windows Defender Firewall exception list.	Firewall
2099		Operational
2100	A proxy is being used with Network Isolation, and is listed as a cloud resource.	Operational
2101	A Hyper-V Firewall Profile Setting has changed.	Firewall
2101		Operational
2102	A Hyper-V Firewall Profile Setting has reset.	Firewall
2102		Operational
2103	A commit of an atomic transaction failed.	Firewall
2103		Operational
2104	The commit of an add operation in CSP failed.	Firewall
2104		Operational
2105	The commit of an delete operation in CSP failed.	Firewall
2105		Operational
2106	The commit of a set operation in CSP failed.	Firewall
2106		Operational
2107	A rollback of an atomic transaction completed.	Firewall
2107		Operational
2108	The rollback of a delete operation completed.	Firewall
2108		Operational
2109	The rollback of an add operation completed.	Firewall
2109		Operational
2110	The rollback of a set operation completed.	Firewall
2110		Operational

Event ID 0 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallDiagnostics
Level: Informational

Fields #

Name	Description
`Name`	—
`callersAppCommandLine`	—
`callerFunctionName`	—
`threadWaitAndLockHoldTimeMs`	—
`fwLockHoldTimeMs`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 0,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 0,
    "time_created": "2026-03-13T16:56:23.124535+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 10968
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "FwThreadWaitTimeAndHoldTimeForFwLock",
    "callersAppCommandLine": "MPSSVC",
    "callerFunctionName": "FwGetConSecRuleIdFromFilterId",
    "threadWaitAndLockHoldTimeMs": 157578,
    "fwLockHoldTimeMs": 157578
  },
  "message": ""
}

Event ID 2000 — The following settings were applied to the Windows Defender Firewall at startup.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

The following settings were applied to the Windows Defender Firewall at startup.

Message #

The following settings were applied to the Windows Defender Firewall at startup

	Current Profile: %1
	IPsec SA Idle time: %2
	IPsec preshared key encoding: %3
	IPsec Exempt: %4
	IPsec CRL Check: %5
	IPsec Through NAT: %6
	Policy Version Supported: %7
	Policy Version: %8
	Binary Version Supported: %9
	Stateful FTP: %10
	Group Policy Applied: %11
	Remote Machine Authorization List: %12
	Remote UserAuthorization List: %13

Fields #

Name	Description
`CurrentProfile` UInt32	—
`SAIdleTime` UInt32	—
`PresharedKeyEncoding` UInt32	—
`IPSecExempt` UInt32	—
`CrlCheck` UInt32	—
`IPSecThroughNAT` UInt32	—
`PolicyVersionSupported` UInt32	—
`PolicyVersion` UInt32	—
`BinaryVersionSupported` UInt32	—
`DisableStatefulFTP` UInt32	—
`GroupPolicyApplied` UInt32	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EnableAuditMode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.415313+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "CurrentProfile": 4,
    "SAIdleTime": 300,
    "PresharedKeyEncoding": 1,
    "IPSecExempt": 9,
    "CrlCheck": 0,
    "IPSecThroughNAT": 0,
    "PolicyVersionSupported": 544,
    "PolicyVersion": 544,
    "BinaryVersionSupported": 544,
    "DisableStatefulFTP": 0,
    "GroupPolicyApplied": 0,
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": ""
  },
  "message": ""
}

Event ID 2001 — The following per profile settings were applied by Windows Defender Firewall.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

The following per profile settings were applied by Windows Defender Firewall.

Message #

The following per profile settings were applied by Windows Defender Firewall 

	Profile: %1
	Operational Mode: %2
	Stealth Mode: %3
	Block all Incoming Connections: %4
	Unicast response to multicast broadcast: %5
	Log dropped packets: %6
	Log successful connections: %7
	Log ignored rules: %8
	Inbound Notifications: %9
	Allow Local Policy Merge: %12
	Allow Local IPsec Policy Merge: %13
	Default Outbound Action: %14
	Default Inbound Action: %15
	Remote Administration: %16
	Stealth Mode IPsec Secured Packet Exemption: %21
	Maximum Log file size: %17
	Log File path: %18
	Allow User preferred merge of Authorized Applications: %10
	Allow User preferred merge of Globally open ports: %11

Fields #

Name	Description
`Profile` UInt32	—
`OpMode` UInt32	—
`DisableStealthMode` UInt32	—
`BlockAllInbound` UInt32	—
`DisableUnicastResponseToMultiCastBroadCast` UInt32	—
`LogDroppedPackets` UInt32	—
`LogSuccessfulConnections` UInt32	—
`LogIgnoredRules` UInt32	—
`DisableInboundNotifications` UInt32	—
`AllowUserPrefMergeForApps` UInt32	—
`AllowUserPrefMergeForGlobalPorts` UInt32	—
`AllowLocalPolicyMerge` UInt32	—
`AllowIPSecPolicyMerge` UInt32	—
`DefaultOutboundAction` UInt32	—
`DefaultInboundAction` UInt32	—
`RemoteAdministrationEnabled` UInt32	—
`MaxLogFileSize` UInt32	—
`LogFilePath` UnicodeString	—
`DisabledInterfacesSize` UInt32	—
`DisabledInterfaces` Binary	—
`DisableStealthModeIPsecSecuredPacketExemption` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.414064+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profile": 1,
    "OpMode": 1,
    "DisableStealthMode": 0,
    "BlockAllInbound": 0,
    "DisableUnicastResponseToMultiCastBroadCast": 0,
    "LogDroppedPackets": 0,
    "LogSuccessfulConnections": 0,
    "LogIgnoredRules": 0,
    "DisableInboundNotifications": 0,
    "AllowUserPrefMergeForApps": 1,
    "AllowUserPrefMergeForGlobalPorts": 1,
    "AllowLocalPolicyMerge": 1,
    "AllowIPSecPolicyMerge": 0,
    "DefaultOutboundAction": 0,
    "DefaultInboundAction": 1,
    "RemoteAdministrationEnabled": 0,
    "MaxLogFileSize": 2048,
    "LogFilePath": "%systemroot%\\system32\\LogFiles\\Firewall\\pfirewall.log",
    "DisabledInterfacesSize": 0,
    "DisabledInterfaces": "",
    "DisableStealthModeIPsecSecuredPacketExemption": 0
  },
  "message": ""
}

Event ID 2002 — A Windows Defender Firewall setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Message #

A Windows Defender Firewall setting has changed.

New Setting:
	Type: %1
	Value: %4
	Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueDisplay` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:00:02.923110+00:00",
    "event_record_id": 290,
    "correlation": {},
    "execution": {
      "process_id": 1212,
      "thread_id": 2276
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SettingType": 2,
    "SettingValueSize": 4,
    "SettingValue": "01000000",
    "SettingValueDisplay": "(null)",
    "Origin": 1,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2003 — A Windows Defender Firewall setting in the Profiles profile has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (Olaf Hartong)
Opcode: Info

Description

A Windows Defender Firewall setting in the Profiles profile has changed.

Message #

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type: %2
	Value: %5
	Modifying User: %7
	Modifying Application: %8

Fields #

Name	Description
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueString` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2003,
    "version": "0",
    "level": "4",
    "task": "0",
    "opcode": "0",
    "keywords": 9223372036854775808,
    "time_created": "2021-06-03T19:39:52.893086100Z",
    "event_record_id": "912",
    "correlation": {},
    "execution": {
      "process_id": "1000",
      "thread_id": "5464"
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profiles": "1",
    "SettingType": "1",
    "SettingValueSize": "4",
    "SettingValue": "01000000",
    "SettingValueString": "Yes",
    "Origin": "1",
    "ModifyingUser": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  }
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 2004 — A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23

Fields #

Name	Description
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2022-04-07T17:06:55.849451+00:00",
    "event_record_id": 173,
    "correlation": {},
    "execution": {
      "process_id": 1928,
      "thread_id": 5436
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "ADDS-NB-Datagram-UDP-In",
    "RuleName": "Active Directory Domain Controller - NetBIOS name resolution (UDP-In)",
    "Origin": 1,
    "ApplicationPath": "System",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "138",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-37601",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364408(v=ws.10)
Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2004-firewall.md

Event ID 2005 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2022-04-07T17:07:00.091207+00:00",
    "event_record_id": 189,
    "correlation": {},
    "execution": {
      "process_id": 1928,
      "thread_id": 1948
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "FPS-SpoolSvc-In-TCP",
    "RuleName": "File and Printer Sharing (Spooler Service - RPC)",
    "Origin": 1,
    "ApplicationPath": "C:\\Windows\\system32\\spoolsv.exe",
    "ServiceName": "Spooler",
    "Direction": 1,
    "Protocol": 6,
    "LocalPorts": "RPC",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 7,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-28502",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2005-firewall.md

Event ID 2006 — A rule has been deleted in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Message #

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2022-04-04T08:05:47.030869+00:00",
    "event_record_id": 275,
    "correlation": {},
    "execution": {
      "process_id": 1320,
      "thread_id": 5056
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{731057A4-5875-4405-ACE3-4C0DD0043413}",
    "RuleName": "WinDefend Outbound for TCP",
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2006-firewall.md

Event ID 2007 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T21:48:08.634627+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "PlayTo-QWave-Out-TCP-PlayToScope",
    "RuleName": "Cast to Device functionality (qWave-TCP-Out)",
    "Origin": 1,
    "ApplicationPath": "C:\\Windows\\system32\\svchost.exe",
    "ServiceName": "Qwave",
    "Direction": 2,
    "Protocol": 6,
    "LocalPorts": "*",
    "RemotePorts": "2177",
    "Action": 3,
    "Profiles": 6,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-36001",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0
  },
  "message": ""
}

Event ID 2008 — Windows Defender Firewall Group Policy settings have changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall Group Policy settings have changed. The new settings have been applied.

Message #

Windows Defender Firewall Group Policy settings have changed. The new settings have been applied

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2008,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:50:01.847874+00:00",
    "event_record_id": 1250,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 9248
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2009 — The Windows Defender Firewall service failed to load Group Policy.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Collection Priority: Recommended (NSA)
Opcode: Info

Description

The Windows Defender Firewall service failed to load Group Policy.

Message #

The Windows Defender Firewall service failed to load Group Policy.
Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

The Windows Defender Firewall Service Failed To Load Group Policy source low: Detects activity when The Windows Defender Firewall service failed to load Group Policy

Event ID 2010 — Network profile changed on an interface.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Network profile changed on an interface.

Message #

Network profile changed on an interface.

Adapter GUID: %1
Adapter Name: %2
Old Profile: %3
New Profile: %4

Fields #

Name	Description
`InterfaceGuid` GUID	—
`InterfaceName` UnicodeString	—
`OldProfile` UInt32	—
`NewProfile` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.427999+00:00",
    "event_record_id": 719,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3844
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "8E4162AD-6500-4899-BA95-24051405E207",
    "InterfaceName": "ethernet_32769",
    "OldProfile": 2147483649,
    "NewProfile": 4
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2011 — Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Message #

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason: %1
Application Path: %2
IP Version: %3
Protocol: %4
Port: %5
Process Id: %6
User: %7

Fields #

Name	Description
`ReasonCode` UInt32	—
`ApplicationPath` UnicodeString	—
`IPVersion` UInt8	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Port` UInt16	—
`ProcessId` UInt32	—
`ModifyingUser` SID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2011,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:12:17.921409+00:00",
    "event_record_id": 258,
    "correlation": {},
    "execution": {
      "process_id": 1928,
      "thread_id": 2428
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ReasonCode": 64,
    "ApplicationPath": "C:\\windows\\system32\\dns.exe",
    "IPVersion": 1,
    "Protocol": 17,
    "Port": 53,
    "ProcessId": 2208,
    "ModifyingUser": "S-1-5-18"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2012 — A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Message #

A connection security rule was added to IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2012,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:18:50.849002+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 2024,
      "thread_id": 5644
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "RuleName": "EvtGen-IPsec-Test",
    "Origin": 1,
    "Active": 1,
    "Protocol": 256,
    "Endpoint1Ports": "",
    "Endpoint2Ports": "",
    "LocalTunnelEndpointV4": 0,
    "LocalTunnelEndpointV6": "00000000000000000000000000000000",
    "RemoteTunnelEndpointV4": 0,
    "RemoteTunnelEndpointV6": "00000000000000000000000000000000",
    "Phase1AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "Phase2AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
    "Phase2CryptoSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "Action": 2,
    "Profiles": 2147483647,
    "Endpoint1": "*",
    "Endpoint2": "*",
    "MMParentRuleId": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "IsDTM": 0,
    "ApplyAuthZ": 0,
    "BypassTunnelIfEncrypted": 0,
    "NoIPSecOnOutbound": 0,
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2013 — A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Message #

A connection security rule was modified in IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2014 — A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Message #

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2014,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:19:58.877628+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 2024,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "RuleName": "EvtGen-IPsec-Test",
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  },
  "message": ""
}

Event ID 2015 — A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Message #

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2016 — A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Message #

A main mode rule has been added in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2017 — A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Message #

A main mode rule has been modified in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2018 — A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Message #

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2019 — A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Message #

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2020 — A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Message #

A phase 1 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2021 — A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Message #

A phase 1 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2022 — A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Message #

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2023 — A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2023,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635709+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
    "SetName": "Service Hardcoded Default Phase1 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Flags": 0,
    "NumSuites": 2,
    "SuitesBinaryLength": 32,
    "CryptoSuites": "0200000003000000020000000000000002000000020000000200000000000000",
    "TimeOutMinutes": 480,
    "TimeOutSessions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2024 — A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Message #

A phase 2 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2025 — A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Message #

A phase 2 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2026 — A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Message #

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2027 — A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2027,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635713+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "SetName": "Service Hardcoded Default Phase2 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Pfs": 1,
    "NumSuites": 4,
    "SuitesBinaryLength": 112,
    "CryptoSuites": "020000000000000002000000000000003C000000A086010000000000020000000000000002000000030000003C000000A086010000000000020000000000000002000000020000003C000000A086010000000000010000000200000000000000000000003C000000A086010000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2028 — An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Message #

An authentication set has been added to IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2029 — An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Message #

An authentication set has been modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—

Event ID 2030 — An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Message #

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`IPsecPhase` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2031 — An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Message #

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsec Phase`	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`IPsecPhase` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2031,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635699+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "SetName": "Service Hardcoded Default Phase1 AuthSet",
    "IPsec Phase": 1,
    "EmbeddedContext": "",
    "Origin": 5,
    "AuthSetFlags": 0,
    "NumSuites": 1,
    "SuitesBinaryLength": 12,
    "AuthenticationSuites": "020000000000000000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2032 — Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Message #

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser: %1
	ModifyingApplication: %2

Fields #

Name	Description
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2032,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T23:28:37.812945+00:00",
    "event_record_id": 628,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 12488
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\netsh.exe"
  },
  "message": ""
}

Event ID 2033 — All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Collection Priority: Recommended (NSA)
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Message #

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2034 — All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Message #

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2035 — All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Message #

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2036 — All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Message #

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2037 — All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Message #

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2038 — Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer.

Message #

Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer:

Rule Information:
	ID: %1
	Name: %2

Error Information:
	Reason: %3

Fields #

Name	Description
`ID` UnicodeString	—
`Name` UnicodeString	—
`Reason` UnicodeString	—
`RuleStatus` UInt32	—

Event ID 2039 — Http Proxies Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Http Proxies Changed.

Message #

Http Proxies Changed

Reason: %1

All Proxies: %2

All Domain Proxies: %3

Group Policy Configured Domain Proxies: %4

Group Policy Configured Local Proxies: %5

All DA Nat64 Domain Proxies: %6

Group Policy is authoritative: %7

Fields #

Name	Description
`ChangeType` UInt32	—
`All Proxies` UnicodeString	—
`All Domain Proxies` UnicodeString	—
`GP Configured Domain Proxies` UnicodeString	—
`GP Configured Local Proxies` UnicodeString	—
`All DA Nat64 Proxies` UnicodeString	—
`GP Is Authoritative` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2039,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2023-11-05T23:50:01.858901+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 9248
    },
    "channel": "Network Isolation Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": 0,
    "All Proxies": "*",
    "All Domain Proxies": "*",
    "GP Configured Domain Proxies": "*",
    "GP Configured Local Proxies": "*",
    "All DA Nat64 Proxies": "*",
    "GP Is Authoritative": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2040 — Corp Subnets Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Corp Subnets Changed.

Message #

Corp Subnets Changed

Reason: %1

All Domain Subnets: %2

Group Policy Configured Domain Subnets: %3

All DA Nat64 Domain Subnets: %4

Group Policy is authoritative: %5

Fields #

Name	Description
`ChangeType` UInt32	—
`All Domain Proxies`	—
`GP Configured Domain Subnets`	—
`All DA Nat64 Domain Subnets`	—
`GP Is Authoritative`	—
`AllDomainProxies` UnicodeString	—
`GPConfiguredDomainSubnets` UnicodeString	—
`AllDANat64DomainSubnets` UnicodeString	—
`GPIsAuthoritative` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2040,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2026-03-13T20:05:11.615994+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Network Isolation Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": 0,
    "All Domain Proxies": "*",
    "GP Configured Domain Subnets": "*",
    "All DA Nat64 Domain Subnets": "*",
    "GP Is Authoritative": 0
  },
  "message": ""
}

Event ID 2041 — Capability Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Capability Changed.

Message #

Capability Changed

Reason: %1

Capability: %2
Profile: %3
IP Range Definition: %4

Fields #

Name	Description
`ChangeType` UInt32	—
`Capability` UInt32	—
`Profile` UInt32	—
`IP Range Definition` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2041,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2023-11-05T23:50:49.936008+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 3800
    },
    "channel": "Network Isolation Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": 3,
    "Capability": 0,
    "Profile": 4,
    "IP Range Definition": "0.0.0.0-255.255.255.255,::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2042 — Config Read Failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: System
Opcode: Info

Description

Config Read Failed.

Message #

Config Read Failed

Config: %1
Error: %2

Fields #

Name	Description
`SettingType` UInt32	—
`ErrorCode` Int32	—

Event ID 2043 — The Windows Firewall Service failed to initialize a component.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

The Windows Firewall Service failed to initialize a component. Some policies may not be fully enforced.

Message #

The Windows Firewall Service failed to initialize a component. Some policies may not be fully enforced. 

Component Name: %1
Error Code: %2

Fields #

Name	Description
`ComponentName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2044 — Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Added Dynamic Keyword Address.

Message #

Added Dynamic Keyword Address.

Error Code: %1
Id: %2
Keyword: %3
Addresses	%4
AutoResolve: %5

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` UInt32	—
`Keyword` UnicodeString	—
`Addresses` UnicodeString	—
`AutoResolve` UInt16	—

Event ID 2045 — Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Dynamic Keyword Address.

Message #

Deleted Dynamic Keyword Address.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` UInt32	—

Event ID 2046 — Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Dynamic Keyword Address.

Message #

Updated Dynamic Keyword Address.

Error Code: %1
Id: %2
Append: %3
Previous Addresses: %4
Addresses to update: %5
Updated Addresses	%6

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` UInt32	—
`Append` UInt16	—
`PreviousAddresses` UnicodeString	—
`AddressesToUpdate` UnicodeString	—
`UpdatedAddresses` UnicodeString	—

Event ID 2047 — Tenant Restrictions Policy Update.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Tenant Restrictions Policy Update.

Message #

Tenant Restrictions Policy Update.

Error code: %1
Old Addresses: %2
New Addresses: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`PreviousAddresses` UnicodeString	—
`UpdatedAddresses` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2047,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:34:38.294357+00:00",
    "event_record_id": 292,
    "correlation": {},
    "execution": {
      "process_id": 1212,
      "thread_id": 3732
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ErrorCode": 0,
    "PreviousAddresses": "",
    "UpdatedAddresses": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2048 — Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Added Dynamic Keyword Address.

Message #

Added Dynamic Keyword Address.

Error Code: %1
Id: %2
Keyword: %3
Addresses	%4
AutoResolve: %5

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` GUID	—
`Keyword` UnicodeString	—
`Addresses` UnicodeString	—
`AutoResolve` UInt16	—

Event ID 2049 — Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Dynamic Keyword Address.

Message #

Deleted Dynamic Keyword Address.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` GUID	—

Event ID 2050 — Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Dynamic Keyword Address.

Message #

Updated Dynamic Keyword Address.

Error Code: %1
Id: %2
Append: %3
Previous Addresses: %4
Addresses to update: %5
Updated Addresses	%6

Fields #

Name	Description
`ErrorCode` UInt32	—
`Id` GUID	—
`Append` UInt16	—
`PreviousAddresses` UnicodeString	—
`AddressesToUpdate` UnicodeString	—
`UpdatedAddresses` UnicodeString	—

Event ID 2051 — Tenant Restrictions Policy Update.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Tenant Restrictions Policy Update.

Message #

Tenant Restrictions Policy Update

Error code: %1
Policy Change: %2

Fields #

Name	Description
`ErrorCode` UInt32	—
`PolicyChange` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2051,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.342732+00:00",
    "event_record_id": 717,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ErrorCode": 0,
    "PolicyChange": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2051 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Tenant Restrictions Policy Update.

Fields #

Name	Description
`ErrorCode` UInt32	—
`PolicyChange` UInt32	—

Event ID 2052 — A rule has been deleted in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Message #

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2052,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:42:34.475801+00:00",
    "event_record_id": 1314,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 16976
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{7F9A364D-0AAE-43ED-A6D1-8D400D83CF18}",
    "RuleName": "WindowsAppRuntime.1.2",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md

Event ID 2052 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule
`ErrorCode` UInt32	—

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md

Event ID 2053 — A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Message #

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2053 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2054 — A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Message #

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2054 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2055 — A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Message #

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2055 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2056 — A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Message #

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2056 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2057 — All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Message #

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2057 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2058 — All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Message #

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2058 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2059 — All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Message #

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`Store Type`	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2059,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.342184+00:00",
    "event_record_id": 716,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Store Type": 12,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2059 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2060 — Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Message #

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser: %1
	ModifyingApplication: %2
	Error Code: %3

Fields #

Name	Description
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2060 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Fields #

Name	Description
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2061 — A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Message #

A connection security rule was added to IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27
	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2061 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2062 — A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Message #

A connection security rule was modified in IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27
	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2062 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2063 — A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Message #

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27n	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2063 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`Active` UInt16	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString	—
`Endpoint2Ports` UnicodeString	—
`LocalTunnelEndpointV4` UInt32	—
`LocalTunnelEndpointV6` Binary	—
`RemoteTunnelEndpointV4` UInt32	—
`RemoteTunnelEndpointV6` Binary	—
`Phase1AuthSetId` UnicodeString	—
`Phase2AuthSetId` UnicodeString	—
`Phase2CryptoSetId` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`MMParentRuleId` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`IsDTM` UInt16	—
`ApplyAuthZ` UInt16	—
`BypassTunnelIfEncrypted` UInt16	—
`NoIPSecOnOutbound` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2064 — An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Message #

An authentication set has been added to IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2064 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2065 — An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Message #

An authentication set has been modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2065 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2066 — An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Message #

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsec Phase`	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—
`IPsecPhase` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2066,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425413+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "SetName": "Service Hardcoded Default Phase1 AuthSet",
    "IPsec Phase": 1,
    "EmbeddedContext": "",
    "Origin": 5,
    "AuthSetFlags": 0,
    "NumSuites": 1,
    "SuitesBinaryLength": 12,
    "AuthenticationSuites": "020000000000000000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2066 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`IPsecPhase` UInt32	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`AuthSetFlags` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`AuthenticationSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2067 — An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Message #

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %6

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`IPsecPhase` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2067 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`IPsecPhase` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2068 — A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Message #

A main mode rule has been added in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2068 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2069 — A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Message #

A main mode rule has been modified in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2069 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2070 — A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Message #

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2070 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString	—
`Endpoint2` UnicodeString	—
`Phase1AuthSetId` UnicodeString	—
`Phase1CryptoSetId` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2071 — A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2071,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2026-03-11T19:32:55.589894+00:00",
    "event_record_id": 1605,
    "correlation": {
      "ActivityID": "33984C15-9559-46A4-820A-46ACEBD01B04"
    },
    "execution": {
      "process_id": 3120,
      "thread_id": 2392
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}",
    "Origin": 1,
    "ApplicationPath": "",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 256,
    "LocalPorts": "",
    "RemotePorts": "",
    "Action": 3,
    "Profiles": 3,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 544,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md

Event ID 2071 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md

Event ID 2072 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2072,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.416192+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "WFDPRINT-SPOOL-Out-Active",
    "RuleName": "Wi-Fi Direct Spooler Use (Out)",
    "Origin": 1,
    "ApplicationPath": "C:\\Windows\\system32\\spoolsv.exe",
    "ServiceName": "Spooler",
    "Direction": 2,
    "Protocol": 256,
    "LocalPorts": "",
    "RemotePorts": "",
    "Action": 3,
    "Profiles": 4,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-36851",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2072 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

Event ID 2073 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2073,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2026-03-11T06:32:02.846978+00:00",
    "event_record_id": 1566,
    "correlation": {
      "ActivityID": "BD42C297-A749-4662-942F-72276C54015A"
    },
    "execution": {
      "process_id": 3120,
      "thread_id": 3720
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "WSLCore-SharedAccess-Allow-Rule",
    "RuleName": "WSLCore SharedAccess Allow Rule",
    "Origin": 3,
    "ApplicationPath": "C:\\Windows\\System32\\svchost.exe",
    "ServiceName": "SharedAccess",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "53",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": 544,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md

Event ID 2073 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32	—
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`ErrorCode` UInt32	—

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md

Event ID 2074 — All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Message #

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4
	Error Code: %5

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2074 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2075 — All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Message #

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4
	Error Code: %5

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2075 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`IPsecPhase` UInt32	—
`StoreType` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2076 — A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Message #

A phase 1 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2076 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2077 — A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Message #

A phase 1 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2077 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2078 — A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2078,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425493+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
    "SetName": "Service Hardcoded Default Phase1 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Flags": 0,
    "NumSuites": 2,
    "SuitesBinaryLength": 32,
    "CryptoSuites": "0200000003000000020000000000000002000000020000000200000000000000",
    "TimeOutMinutes": 480,
    "TimeOutSessions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2078 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Flags` UInt16	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`TimeOutMinutes` UInt32	—
`TimeOutSessions` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2079 — A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Message #

A phase 2 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2079 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2080 — A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Message #

A phase 2 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2080 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2081 — A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2081,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425532+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "SetName": "Service Hardcoded Default Phase2 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Pfs": 1,
    "NumSuites": 4,
    "SuitesBinaryLength": 112,
    "CryptoSuites": "020000000000000002000000000000003C000000A086010000000000020000000000000002000000030000003C000000A086010000000000020000000000000002000000020000003C000000A086010000000000010000000200000000000000000000003C000000A086010000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2081 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString	—
`SetName` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Origin` UInt32	—
`CryptoSetFlags` UInt32	—
`Pfs` UInt32	—
`NumSuites` UInt32	—
`SuitesBinaryLength` UInt32	—
`CryptoSuites` Binary	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`ErrorCode` UInt32	—

Event ID 2082 — A Windows Defender Firewall setting in the Profiles profile has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting in the Profiles profile has changed.

Message #

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type: %2
	Value: %5
	Modifying User: %7
	Modifying Application: %8
	Error Code: %9

Fields #

Name	Description
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueString` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2082,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:14:24.218884+00:00",
    "event_record_id": 1270,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 8508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profiles": 1,
    "SettingType": 3,
    "SettingValueSize": 4,
    "SettingValue": "00000000",
    "SettingValueString": "No",
    "Origin": 1,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Program Files (x86)\\Avira\\Antivirus\\ccuac.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2082 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Windows Defender Firewall setting in the profile has changed.

Fields #

Name	Description
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueString` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2083 — A Windows Defender Firewall setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Message #

A Windows Defender Firewall setting has changed.

New Setting:
	Type: %1
	Value: %4
	Modifying User: %6
	Modifying Application: %7
	Error Code: %8

Fields #

Name	Description
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueDisplay` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2083,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:52:38.271525+00:00",
    "event_record_id": 650,
    "correlation": {},
    "execution": {
      "process_id": 2884,
      "thread_id": 4496
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SettingType": 2,
    "SettingValueSize": 4,
    "SettingValue": "06000000",
    "SettingValueDisplay": "(null),(null)",
    "Origin": 1,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2083 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Fields #

Name	Description
`SettingType` UInt32	—
`SettingValueSize` UInt32	—
`SettingValue` Binary	—
`SettingValueDisplay` UnicodeString	—
`Origin` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2084 — Added a Duplicate Rule.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Added a Duplicate Rule.

Message #

Added a Duplicate Rule

Rule Name: %1

Fields #

Name	Description
`RuleName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2084,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.051278+00:00",
    "event_record_id": 715,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleName": "@{Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsTerminal/Resources/AppStoreName}"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2084 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Added a Duplicate Rule.

Fields #

Name	Description
`RuleName` UnicodeString	—

Event ID 2085 — Created Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Created Hyper-V Port.

Message #

Created Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4
VM Creator ID: %5
Interface GUID: %6
Partition GUID: %7
Constrained: %8

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—
`VMCreatorId` GUID	—
`InterfaceGUID` GUID	—
`PartitionGUID` GUID	—
`Constrained` UInt16	—

Event ID 2085 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Created Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—
`VMCreatorId` GUID	—
`InterfaceGUID` GUID	—
`PartitionGUID` GUID	—
`Constrained` UInt16	—

Event ID 2086 — Updated Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Hyper-V Port.

Message #

Updated Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4
VM Creator ID: %5
Interface GUID: %6
Partition GUID: %7
Constrained: %8

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—
`VMCreatorId` GUID	—
`InterfaceGUID` GUID	—
`PartitionGUID` GUID	—
`Constrained` UInt16	—

Event ID 2086 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Updated Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—
`VMCreatorId` GUID	—
`InterfaceGUID` GUID	—
`PartitionGUID` GUID	—
`Constrained` UInt16	—

Event ID 2087 — Deleted Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Hyper-V Port.

Message #

Deleted Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—

Event ID 2087 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Deleted Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32	—
`ActivityGUID` GUID	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—

Event ID 2088 — A Hyper-V Firewall VM Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V Firewall VM Setting has changed.

Message #

A Hyper-V Firewall VM Setting has changed.
Error Code: %1
Origin: %2
VM Creator ID: %3
Setting: %4
	Value: %5
	Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`VMCreatorId` GUID	—
`VMConfig` UInt32	—
`Value` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2088 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V Firewall VM Setting has changed.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`VMCreatorId` GUID	—
`VMConfig` UInt32	—
`Value` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2089 — A Hyper-V Firewall VM Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V Firewall VM Setting has reset.

Message #

A Hyper-V Firewall VM Setting has reset.
Error Code: %1
Origin: %2
VM Creator ID: %3
Setting: %4
Modifying User: %5
	Modifying Application: %6

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`VMCreatorId` GUID	—
`VMConfig` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2089 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V Firewall VM Setting has reset.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`VMCreatorId` GUID	—
`VMConfig` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2090 — A Hyper-V rule has been added.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been added.

Message #

A Hyper-V rule has been added.

Error Code: %1
Origin: %2
Rule ID: %3
Rule Name: %4
VM Creator ID: %5
Priority: %6
Direction: %7
Action: %8
Protocol: %9
Local Ports: %10
Remote Ports: %11
Local Addresses: %12
Remote Addresses: %13
Active: %14
Modifying User: %15
	Modifying Application: %16

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`RuleName` UnicodeString	—
`VMCreatorId` GUID	—
`Priority` UInt16	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`Active` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2090 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been added.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`RuleName` UnicodeString	—
`VMCreatorId` GUID	—
`Priority` UInt16	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`Active` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2091 — A Hyper-V rule has been updated.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been updated.

Message #

A Hyper-V rule has been updated.

Error Code: %1
Origin: %2
Rule ID: %3
Rule Name: %4
VM Creator ID: %5
Priority: %6
Direction: %7
Action: %8
Protocol: %9
Local Ports: %10
Remote Ports: %11
Local Addresses: %12
Remote Addresses: %13
Active: %14
Modifying User: %15
	Modifying Application: %16

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`RuleName` UnicodeString	—
`VMCreatorId` GUID	—
`Priority` UInt16	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`Active` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2091 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been updated.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`RuleName` UnicodeString	—
`VMCreatorId` GUID	—
`Priority` UInt16	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32	—
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`Active` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2092 — A Hyper-V rule has been deleted.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been deleted.

Message #

A Hyper-V rule has been deleted.

Error Code: %1
Origin: %2
Rule ID: %3
Modifying User: %4
	Modifying Application: %5

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2092 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been deleted.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`RuleID` UnicodeString	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2093 — A error occured while initializing a Hyper-V port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Message #

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Error Code: %1
Switch Name: %2
Port Name: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—

Event ID 2093 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Fields #

Name	Description
`ErrorCode` UInt32	—
`SwitchName` UnicodeString	—
`PortName` UnicodeString	—

Event ID 2094 — A error occured while processing a Hyper-V rule.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Message #

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Error Code: %1
Rule Operation: %2
Rule ID: %3
Origin	%4

Fields #

Name	Description
`ErrorCode` UInt32	—
`RuleOperation` UInt32	—
`RuleID` UnicodeString	—
`StoreType` UInt32	—

Event ID 2094 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Fields #

Name	Description
`ErrorCode` UInt32	—
`RuleOperation` UInt32	—
`RuleID` UnicodeString	—
`StoreType` UInt32	—

Event ID 2095 — A Hyper-V VM Creator has been registered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V VM Creator has been registered with the firewall service.

Message #

A Hyper-V VM Creator has been registered with the firewall service.

Error Code: %1
Id: %2
Friendly Name: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`VMCreatorId` GUID	—
`FriendlyName` UnicodeString	—

Event ID 2095 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V VM Creator has been registered with the firewall service.

Fields #

Name	Description
`ErrorCode` UInt32	—
`VMCreatorId` GUID	—
`FriendlyName` UnicodeString	—

Event ID 2096 — A Hyper-V VM Creator has been unregistered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V VM Creator has been unregistered with the firewall service.

Message #

A Hyper-V VM Creator has been unregistered with the firewall service.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32	—
`VMCreatorId` GUID	—

Event ID 2096 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V VM Creator has been unregistered with the firewall service.

Fields #

Name	Description
`ErrorCode` UInt32	—
`VMCreatorId` GUID	—

Event ID 2097 — A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2097,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:44:15.909142+00:00",
    "event_record_id": 1322,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 22016
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{F12880D2-1AF5-4F03-AB63-8FEB63B400D0}",
    "RuleName": "Microsoft Teams",
    "Origin": 1,
    "ApplicationPath": "C:\\Program Files\\WindowsApps\\MicrosoftTeams_23275.702.2421.2406_x64__8wekyb3d8bbwe\\msteams.exe",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "{78E1CD88-49E3-476E-B926-580E596AD309}",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "PolicyAppId": "",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2097 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rule has been added to the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2098 — A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2098 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rule has been listed when the Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2099 — A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2099,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:00:42.526564+00:00",
    "event_record_id": 1285,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 18012
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{C4847D55-2E11-4510-9513-51B82576049A}",
    "RuleName": "Teamviewer Remote Control Service",
    "Origin": 0,
    "ApplicationPath": "C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 4,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "ModifyingApplication": "C:\\Users\\User\\AppData\\Local\\Temp\\cdd35c3a-7c34-11ee-936c-000c293379ba\\TeamViewer_.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "PolicyAppId": "",
    "ErrorCode": 2
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2099 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rule has been modified in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	—
`RuleName` UnicodeString	—
`Origin` UInt32	—
`ApplicationPath` UnicodeString	—
`ServiceName` UnicodeString	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString	—
`RemotePorts` UnicodeString	—
`Action` UInt32	—
`Profiles` UInt32	— Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString	—
`RemoteAddresses` UnicodeString	—
`RemoteMachineAuthorizationList` UnicodeString	—
`RemoteUserAuthorizationList` UnicodeString	—
`EmbeddedContext` UnicodeString	—
`Flags` UInt16	—
`Active` UInt16	—
`EdgeTraversal` UInt16	—
`LooseSourceMapped` UInt16	—
`SecurityOptions` UInt16	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—
`SchemaVersion` UInt16	—
`RuleStatus` UInt32	—
`LocalOnlyMapped` UInt16	—
`PolicyAppId` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2100 — A proxy is being used with Network Isolation, and is listed as a cloud resource.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A proxy is being used with Network Isolation, and is listed as a cloud resource. Network connectivity will be affected.

Message #

A proxy is being used with Network Isolation, and is listed as a cloud resource. Network connectivity will be affected. 

 Remove the domain of the proxy from the Network Isolation policy. 

 Proxy Name: %1

Fields #

Name	Description
`ProxyName` UnicodeString	—

Event ID 2101 — A Hyper-V Firewall Profile Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A Hyper-V Firewall Profile Setting has changed.

Message #

A Hyper-V Firewall Profile Setting has changed.
Error Code: %1
Origin: %2
Profile Type: %3
VM Creator ID: %4
Setting: %5
	Value: %6
	Modifying User: %7
	Modifying Application: %8

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`ProfileType` UInt32	—
`VMCreatorId` GUID	—
`ProfileConfig` UInt32	—
`Value` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2101 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A Hyper-V Firewall Profile Setting has changed.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`ProfileType` UInt32	—
`VMCreatorId` GUID	—
`ProfileConfig` UInt32	—
`Value` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2102 — A Hyper-V Firewall Profile Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A Hyper-V Firewall Profile Setting has reset.

Message #

A Hyper-V Firewall Profile Setting has reset.
Error Code: %1
Origin: %2
Profile Type: %3
VM Creator ID: %4
Setting: %5
Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`ProfileType` UInt32	—
`VMCreatorId` GUID	—
`ProfileConfig` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2102 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A Hyper-V Firewall Profile Setting has reset.

Fields #

Name	Description
`ErrorCode` UInt32	—
`StoreType` UInt32	—
`ProfileType` UInt32	—
`VMCreatorId` GUID	—
`ProfileConfig` UInt32	—
`ModifyingUser` SID	—
`ModifyingApplication` UnicodeString	—

Event ID 2103 — A commit of an atomic transaction failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A commit of an atomic transaction failed. Rollback will begin.

Message #

A commit of an atomic transaction failed. Rollback will begin.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 2103 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A commit of an atomic transaction failed. Rollback will begin.

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 2104 — The commit of an add operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of an add operation in CSP failed.

Message #

The commit of an add operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2104 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of an add operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2105 — The commit of an delete operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of an delete operation in CSP failed.

Message #

The commit of an delete operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2105 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of an delete operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2106 — The commit of a set operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of a set operation in CSP failed.

Message #

The commit of a set operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2106 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of a set operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2107 — A rollback of an atomic transaction completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A rollback of an atomic transaction completed.

Message #

A rollback of an atomic transaction completed.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 2107 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rollback of an atomic transaction completed.

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 2108 — The rollback of a delete operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Message #

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2108 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2109 — The rollback of an add operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Message #

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2109 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2110 — The rollback of a set operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of a set operation completed. The rollback of a set is re-setting the previous values.

Message #

The rollback of a set operation completed. The rollback of a set is re-setting the previous values. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 2110 —

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of a set operation completed. The rollback of a set is re-setting the previous values.

Fields #

Name	Description
`RuleName` UnicodeString	—
`ErrorCode` UInt32	—

Microsoft-Windows-Windows Firewall With Advanced Security

Event ID 0 —

Fields #

Example Event #

Event ID 2000 — The following settings were applied to the Windows Defender Firewall at startup.

Description

Message #

Fields #

Example Event #

Event ID 2001 — The following per profile settings were applied by Windows Defender Firewall.

Description

Message #

Fields #

Example Event #

Event ID 2002 — A Windows Defender Firewall setting has changed.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2003 — A Windows Defender Firewall setting in the Profiles profile has changed.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2004 — A rule has been added to the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2005 — A rule has been modified in the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

References #

Event ID 2006 — A rule has been deleted in the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2007 — A rule has been listed when the Windows Defender Firewall started.

Description

Message #

Fields #

Example Event #

Event ID 2008 — Windows Defender Firewall Group Policy settings have changed.

Description

Message #

Example Event #

Related Events #

References #

Event ID 2009 — The Windows Defender Firewall service failed to load Group Policy.

Description

Message #

Fields #

Detection Rules #

Sigma # view in reference

Event ID 2010 — Network profile changed on an interface.

Description

Message #

Fields #

Example Event #

References #

Event ID 2011 — Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Description

Message #

Fields #

Example Event #

References #

Event ID 2012 — A connection security rule was added to IPsec settings.

Description

Message #