Event ID 2006 — A rule has been deleted in the Windows Defender Firewall exception list.
Description
A rule has been deleted in the Windows Defender Firewall exception list.
Message #
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | GUID of the deleted firewall rule |
RuleName UnicodeString | Name of the firewall rule as it appears in Windows Firewall |
ModifyingUser SID | SID of the account that deleted the firewall rule |
ModifyingApplication UnicodeString | Full image path of the process that deleted the firewall rule |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
"guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
"event_source_name": "",
"event_id": 2006,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223374235878031360,
"time_created": "2022-04-04T08:05:47.030869+00:00",
"event_record_id": 275,
"correlation": {},
"execution": {
"process_id": 1320,
"thread_id": 5056
},
"channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"RuleId": "{731057A4-5875-4405-ACE3-4C0DD0043413}",
"RuleName": "WinDefend Outbound for TCP",
"ModifyingUser": "S-1-5-18",
"ModifyingApplication": "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2006-firewall.md