Event ID 2052 —
Description
A rule has been deleted in the Windows Defender Firewall exception list.
Fields #
| Name | Description |
|---|---|
RuleId UnicodeString | GUID of the deleted firewall rule |
RuleName UnicodeString | Name of the firewall rule as it appears in Windows Firewall |
ModifyingUser SID | SID of the account that deleted the firewall rule |
ModifyingApplication UnicodeString | Full image path of the process that deleted the firewall rule |
ErrorCode UInt32 | — |
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md