detection.wiki

Microsoft-Windows-Windows Firewall With Advanced Security › Event 2097

Event ID 2097 — A rule has been added to the Windows Defender Firewall exception list.

Provider
Microsoft-Windows-Windows Firewall With Advanced Security
Channel
Firewall
Level
Informational

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	PolicyAppId: %27
	Error Code: %28

Fields #

NameDescription
RuleId UnicodeString
RuleName UnicodeString
Origin UInt32
ApplicationPath UnicodeString
ServiceName UnicodeString
Direction UInt32
Known values
%%14592
Inbound
%%14593
Outbound
%%14594
Forward
%%14595
Bidirectional
Protocol UInt16
Known values
0
HOPOPT
1
ICMP
2
IGMP
6
TCP
17
UDP
41
IPv6
43
IPv6-Route
44
IPv6-Frag
47
GRE
50
ESP
51
AH
58
ICMPv6
89
OSPF
103
PIM
132
SCTP
LocalPorts UnicodeString
RemotePorts UnicodeString
Action UInt32
Profiles UInt32
Bitmask flags
0x00000001
Domain
0x00000002
Private
0x00000004
Public
LocalAddresses UnicodeString
RemoteAddresses UnicodeString
RemoteMachineAuthorizationList UnicodeString
RemoteUserAuthorizationList UnicodeString
EmbeddedContext UnicodeString
Flags UInt16
Active UInt16
EdgeTraversal UInt16
LooseSourceMapped UInt16
SecurityOptions UInt16
ModifyingUser SID
ModifyingApplication UnicodeString
SchemaVersion UInt16
RuleStatus UInt32
LocalOnlyMapped UInt16
PolicyAppId UnicodeString
ErrorCode UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2097,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:44:15.909142+00:00",
    "event_record_id": 1322,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 22016
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{F12880D2-1AF5-4F03-AB63-8FEB63B400D0}",
    "RuleName": "Microsoft Teams",
    "Origin": 1,
    "ApplicationPath": "C:\\Program Files\\WindowsApps\\MicrosoftTeams_23275.702.2421.2406_x64__8wekyb3d8bbwe\\msteams.exe",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "{78E1CD88-49E3-476E-B926-580E596AD309}",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "PolicyAppId": "",
    "ErrorCode": 0
  },
  "message": ""
}

References #