detection.wiki

Microsoft-Windows-Windows Firewall With Advanced Security › Event 2071

Event ID 2071 —

Provider
Microsoft-Windows-Windows Firewall With Advanced Security
Channel
Operational
Opcode
Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Fields #

NameDescription
RuleId UnicodeStringGUID uniquely identifying the new firewall rule
RuleName UnicodeStringName of the firewall rule as it appears in Windows Firewall
Origin UInt32
ApplicationPath UnicodeStringPath to the application this rule applies to, if application-specific
ServiceName UnicodeStringName of the service this rule applies to, if service-specific
Direction UInt32Direction of the rule: 1 for inbound, 2 for outbound
Known values
%%14592
Inbound
%%14593
Outbound
%%14594
Forward
%%14595
Bidirectional
Protocol UInt16
Known values
0
HOPOPT
1
ICMP
2
IGMP
6
TCP
17
UDP
41
IPv6
43
IPv6-Route
44
IPv6-Frag
47
GRE
50
ESP
51
AH
58
ICMPv6
89
OSPF
103
PIM
132
SCTP
LocalPorts UnicodeString
RemotePorts UnicodeString
Action UInt32Firewall action: 3 for allow, 2 for block
Profiles UInt32Firewall profiles (Private/Domain/Public) this rule applies to
Bitmask flags
0x00000001
Domain
0x00000002
Private
0x00000004
Public
LocalAddresses UnicodeString
RemoteAddresses UnicodeString
RemoteMachineAuthorizationList UnicodeString
RemoteUserAuthorizationList UnicodeString
EmbeddedContext UnicodeString
Flags UInt16
Active UInt16Whether the rule is enabled: 0 for disabled, 1 for enabled
EdgeTraversal UInt16
LooseSourceMapped UInt16
SecurityOptions UInt16Security options: 0 for none, 1 for require authentication
ModifyingUser SIDSID of the account that added the firewall rule
ModifyingApplication UnicodeStringFull image path of the process that added the firewall rule
SchemaVersion UInt16
RuleStatus UInt32
LocalOnlyMapped UInt16
ErrorCode UInt32

References #