Event Details
User Activity->Network and Firewall Tracking->Windows Filtering Platform->Windows 2008->EventID 5450 - A Windows Filtering Platform sub-layer has been changed.
EventID 5450 - A Windows Filtering Platform sub-layer has been changed.
 Sample: 
        A Windows Filtering Platform sub-layer has been changed.

        Subject:
        Security ID:		%2
        Account Name:		%3

        Process Information:
        Process ID:	%1

        Provider Information:
        Provider ID:	%4
        Provider Name:	%5

        Change Information:
        Change Type:	%6

        Sub-layer Information:
        Sub-layer ID:	%7
        Sub-layer Name:	%8
        Sub-layer Type:	%9

        Additional Information:
        Weight:	%10
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
TaskCategory Filtering Platform Policy Change
EventId 5450
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. Subject: Account Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) TaskCategory
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Low" Low
WhoDomain -
WhereDomain -
Comments
You must be logged in to comment