Event-o-Pedia EventID 5157 - The Windows Filtering Platform has blocked a connection.

	Event Details
	User Activity->Network and Firewall Tracking->Windows Filtering Platform->Windows 2008->EventID 5157 - The Windows Filtering Platform has blocked a connection.

EventID 5157 - The Windows Filtering Platform has blocked a connection.

Linked Event:

EventID 5157 - The Windows Filtering Platform has blocked a connection.

Sample:

The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		1200
	Application Name:	\device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		ff02::1:3
	Source Port:		5355
	Destination Address:	fe80::34cd:aa6a:d4da:913d
	Destination Port:		64245
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	0
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	46
===========================
Description template stored in adtschema.dll:
===========================
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		%1
	Application Name:	%2

Network Information:
	Direction:		%3
	Source Address:		%4
	Source Port:		%5
	Destination Address:	%6
	Destination Port:		%7
	Protocol:		%8

Filter Information:
	Filter Run-Time ID:	%9
	Layer Name:		%10
	Layer Run-Time ID:	%11

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Object Access
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Filtering Platform Connection
EventId	5157

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	10.10.2000 19:00:00
Who	Account or user name under which the activity occured.	"Windows Filtering Platform"	Windows Filtering Platform
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Connection blocked"	Connection blocked
Where	The name of the workstation/server where the activity was logged.	-	10.10.10.10
Where From	The name of the workstation/server where the activity was initiated from.	-	10.10.10.10
Severity	Specify the seriousness of the event.	"Low"	Low
WhoDomain		-
WhereDomain		-
Process ID		Application Information: Process ID	1200
Process Name		Application Information: Application Name	\device\harddiskvolume1\windows\system32\svchost.exe
Direction		Network Information: Direction	Inbound
Source Address		Network Information: Source Address	ff02::1:3
Source Port		Network Information: Source Port	5355
Target Address		Network Information: Destination Address	fe80::34cd:aa6a:d4da:913d
Target Port		Network Information: Destination Port	64245
Protocol		Network Information: Protocol	17
Filter ID		Filter Information: Filter Run-Time ID	0
Layer Name		Filter Information: Layer Name	Receive/Accept
Layer ID		Filter Information: Layer Run-Time ID	46