Event-o-Pedia EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

	Event Details
	User Activity->Network and Firewall Tracking->Windows Filtering Platform->Windows 2008->EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Linked Event:

EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Sample:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 9:53:52 PM
Event ID:      5154
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Application Information:
	Process ID:		880
	Application Name:	\device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
	Source Address:		0.0.0.0
	Source Port:		593
	Protocol:		6
Filter Information:
	Filter Run-Time ID:	65944
	Layer Name:		Listen
	Layer Run-Time ID:	40

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Object Access
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Filtering Platform Connection
EventId	5154

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	-	1/1/2000
Who	Account or user name under which the activity occured.	"Windows Filtering Platform"	Windows Filtering Platform
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Port listening allowed"	Port listening allowed
Where	The name of the workstation/server where the activity was logged.	-	10.10.10.10
Where From	The name of the workstation/server where the activity was initiated from.	-	10.10.10.10
Severity	Specify the seriousness of the event.	"Low"	Low
WhoDomain		-
WhereDomain		-