Event Details
User Activity->Network and Firewall Tracking->Windows Filtering Platform->Windows 2008->EventID 5446 - A Windows Filtering Platform callout has been changed.
EventID 5446 - A Windows Filtering Platform callout has been changed.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 9:53:51 PM
Event ID:      5446
Task Category: Filtering Platform Policy Change
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A Windows Filtering Platform callout has been changed.
	
Subject:
	Security ID:		S-1-5-19
	Account Name:		NT AUTHORITY\LOCAL SERVICE
Process Information:
	Process ID:	1324
Provider Information:
	ID:		{9250A3DB-5929-4952-B834-E88709B0A35E}
	Name:		WFKMP
Change Information:
	Change Type:	Add
Callout Information:
	ID:		{C3DBED20-0BB6-4BF3-828D-96732E1E0024}
	Name:		Windows Firewall: callout
	Type:		Not persistent
	Run-Time ID:	256
Layer Information:
	ID:		{1247D66D-0B60-4A15-8D44-7155D0F53A0C}
	Name:		ALE Resource Assignment v4 Layer
	Run-Time ID:	36
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
TaskCategory Filtering Platform Policy Change
EventId 5446
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. Subject: Account Name NT AUTHORITY\LOCAL SERVICE
What The type of activity occurred (e.g. Logon, Password Changed, etc.) TaskCategory
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Low" Low
WhoDomain -
WhereDomain -
Comments
You must be logged in to comment