Event ID 2004 — A rule has been added to the Windows Defender Firewall exception list.
Description
A rule has been added to the Windows Defender Firewall exception list.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | GUID uniquely identifying the new firewall rule |
RuleName UnicodeString | Name of the firewall rule as it appears in Windows Firewall |
Origin UInt32 | — |
ApplicationPath UnicodeString | Path to the application this rule applies to, if application-specific |
ServiceName UnicodeString | Name of the service this rule applies to, if service-specific |
Direction UInt32 | Direction of the rule: 1 for inbound, 2 for outbound Known values
|
Protocol UInt16 | — Known values
|
LocalPorts UnicodeString | — |
RemotePorts UnicodeString | — |
Action UInt32 | Firewall action: 3 for allow, 2 for block |
Profiles UInt32 | Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags
|
LocalAddresses UnicodeString | — |
RemoteAddresses UnicodeString | — |
RemoteMachineAuthorizationList UnicodeString | — |
RemoteUserAuthorizationList UnicodeString | — |
EmbeddedContext UnicodeString | — |
Flags UInt16 | — |
Active UInt16 | Whether the rule is enabled: 0 for disabled, 1 for enabled |
EdgeTraversal UInt16 | — |
LooseSourceMapped UInt16 | — |
SecurityOptions UInt16 | Security options: 0 for none, 1 for require authentication |
ModifyingUser SID | SID of the account that added the firewall rule |
ModifyingApplication UnicodeString | Full image path of the process that added the firewall rule |
SchemaVersion UInt16 | — |
RuleStatus UInt32 | — |
LocalOnlyMapped UInt16 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
"guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
"event_source_name": "",
"event_id": 2004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223374235878031360,
"time_created": "2022-04-07T17:06:55.849451+00:00",
"event_record_id": 173,
"correlation": {},
"execution": {
"process_id": 1928,
"thread_id": 5436
},
"channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"RuleId": "ADDS-NB-Datagram-UDP-In",
"RuleName": "Active Directory Domain Controller - NetBIOS name resolution (UDP-In)",
"Origin": 1,
"ApplicationPath": "System",
"ServiceName": "",
"Direction": 1,
"Protocol": 17,
"LocalPorts": "138",
"RemotePorts": "*",
"Action": 3,
"Profiles": 2147483647,
"LocalAddresses": "*",
"RemoteAddresses": "*",
"RemoteMachineAuthorizationList": "",
"RemoteUserAuthorizationList": "",
"EmbeddedContext": "@FirewallAPI.dll,-37601",
"Flags": 1,
"Active": 1,
"EdgeTraversal": 0,
"LooseSourceMapped": 0,
"SecurityOptions": 0,
"ModifyingUser": "S-1-5-18",
"ModifyingApplication": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.20348.557_none_f1edaeb8515fa10d\\TiWorker.exe",
"SchemaVersion": 543,
"RuleStatus": 65536,
"LocalOnlyMapped": 0
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364408(v=ws.10)
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2004-firewall.md