detection.wiki

Microsoft-Windows-Windows Firewall With Advanced Security › Event 2011

Event ID 2011 — Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Provider
Microsoft-Windows-Windows Firewall With Advanced Security
Channel
Firewall
Level
Informational
Opcode
Info

Description

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Message #

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason: %1
Application Path: %2
IP Version: %3
Protocol: %4
Port: %5
Process Id: %6
User: %7

Fields #

NameDescription
ReasonCode UInt32
ApplicationPath UnicodeString
IPVersion UInt8
Protocol UInt16
Known values
0
HOPOPT
1
ICMP
2
IGMP
6
TCP
17
UDP
41
IPv6
43
IPv6-Route
44
IPv6-Frag
47
GRE
50
ESP
51
AH
58
ICMPv6
89
OSPF
103
PIM
132
SCTP
Port UInt16
ProcessId UInt32
ModifyingUser SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2011,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:12:17.921409+00:00",
    "event_record_id": 258,
    "correlation": {},
    "execution": {
      "process_id": 1928,
      "thread_id": 2428
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ReasonCode": 64,
    "ApplicationPath": "C:\\windows\\system32\\dns.exe",
    "IPVersion": 1,
    "Protocol": 17,
    "Port": 53,
    "ProcessId": 2208,
    "ModifyingUser": "S-1-5-18"
  },
  "message": ""
}

References #