Audit Filtering Platform Connection
Some detection rules require monitoring network connections managed by the Windows Filtering Platform (WFP) to detect unauthorized or suspicious network activity.
Caution: Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
To enable Audit Filtering Platform Connection across a group of servers using Active Directory Group Policies, administrators must enable the Audit Filtering Platform Connection policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Object Access >
Audit Filtering Platform Connection (Success,Failure)
To enable this policy on a local machine, run the following command in an elevated command prompt:
auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
When this audit policy is enabled, the following event IDs may be generated:
- 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.
- 5150: The Windows Filtering Platform blocked a packet.
- 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.
- 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
- 5156: The Windows Filtering Platform has permitted a connection.
- 5157: The Windows Filtering Platform has blocked a connection.
- 5158: The Windows Filtering Platform has permitted a bind to a local port.
- 5159: The Windows Filtering Platform has blocked a bind to a local port.
Use the following GitHub search to identify rules that use the events listed: