Event Details
User Activity->Network and Firewall Tracking->Windows Filtering Platform->Windows 2008->EventID 5447 - A Windows Filtering Platform filter has been changed.
EventID 5447 - A Windows Filtering Platform filter has been changed.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 9:53:52 PM
Event ID:      5447
Task Category: Other Policy Change Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A Windows Filtering Platform filter has been changed.
	
Subject:
	Security ID:		S-1-5-19
	Account Name:		NT AUTHORITY\LOCAL SERVICE
Process Information:
	Process ID:	1324
Provider Information:
	ID:		{4B153735-1049-4480-AAB4-D1B9BDC03710}
	Name:		Windows Firewall
Change Information:
	Change Type:	Add
Filter Information:
	ID:		{F81CF288-ECF7-42BF-995D-20FA26BB9404}
	Name:		Allow RPC/TCP traffic to EventLog
	Type:		Not persistent
	Run-Time ID:	65639
Layer Information:
	ID:		{E1CD9FE7-F4B5-4273-96C0-592E487B8650}
	Name:		ALE Receive/Accept v4 Layer
	Run-Time ID:	44
Callout Information:
	ID:		{00000000-0000-0000-0000-000000000000}
	Name:		-
Additional Information:
	Weight:	123172129079296	
	Conditions:	
	Condition ID:	{d78e1e87-8644-4ea5-9437-d809ecefc971}
	Match value:	Equal to
	Condition value:	
    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  \.d.e.v.i.c.e.\.
    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.
    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 31 00 5c 00  v.o.l.u.m.e.1.\.
    00000030  77 00 69 00 6e 00 64 00-6f 00 77 00 73 00 5c 00  w.i.n.d.o.w.s.\.
    00000040  73 00 79 00 73 00 74 00-65 00 6d 00 33 00 32 00  s.y.s.t.e.m.3.2.
    00000050  5c 00 73 00 76 00 63 00-68 00 6f 00 73 00 74 00  \.s.v.c.h.o.s.t.
    00000060  2e 00 65 00 78 00 65 00-00 00                    ..e.x.e...


	Condition ID:	{af043a0a-b34d-4f86-979c-c90371af6e66}
	Match value:	Equal to
	Condition value:	
O:SYG:SYD:(A;;CCRC;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)


	Condition ID:	{b9f4e088-cb98-4efb-a2c7-ad07332643db}
	Match value:	Equal to
	Condition value:	0x00000001

	Condition ID:	{3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
	Match value:	Equal to
	Condition value:	0x06

	Filter Action:	Permit
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
TaskCategory Other Policy Change Events
EventId 5447
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. Subject: Account Name NT AUTHORITY\LOCAL SERVICE
What The type of activity occurred (e.g. Logon, Password Changed, etc.) TaskCategory
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Low" Low
WhoDomain -
WhereDomain -
Comments
You must be logged in to comment