detection.wiki

Microsoft-Windows-Windows Firewall With Advanced Security › Event 2003

Event ID 2003 — A Windows Defender Firewall setting in the Profiles profile has changed.

Provider
Microsoft-Windows-Windows Firewall With Advanced Security
Channel
Firewall
Level
Informational
Collection Priority
Recommended (Olaf Hartong)
Opcode
Info

Description

A Windows Defender Firewall setting in the Profiles profile has changed.

Message #

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type: %2
	Value: %5
	Modifying User: %7
	Modifying Application: %8

Fields #

NameDescription
Profiles UInt32
Bitmask flags
0x00000001
Domain
0x00000002
Private
0x00000004
Public
SettingType UInt32
SettingValueSize UInt32
SettingValue Binary
SettingValueString UnicodeString
Origin UInt32
ModifyingUser SID
ModifyingApplication UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2003,
    "version": "0",
    "level": "4",
    "task": "0",
    "opcode": "0",
    "keywords": 9223372036854775808,
    "time_created": "2021-06-03T19:39:52.893086100Z",
    "event_record_id": "912",
    "correlation": {},
    "execution": {
      "process_id": "1000",
      "thread_id": "5464"
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profiles": "1",
    "SettingType": "1",
    "SettingValueSize": "4",
    "SettingValue": "01000000",
    "SettingValueString": "Yes",
    "Origin": "1",
    "ModifyingUser": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  }
}

References #