detection.wiki

Microsoft-Windows-NetworkSecurity

8 events across 1 channel

EventTitleChannelSample
801SA Context SaContextID was created.DebugN
802SA Context SaContextID: Result=Result.DebugN
803SA Context 5nProtocol:\nLocal Address: SaContextID:LocalMask\nRemote Address: …DebugN
804SA Context SaContextID was deleted.DebugN
805SA Context SaContextID: SPI=SPI.DebugN
806----- BEGIN BFE_SA_CONTEXT processing -----DebugN
807----- END BFE_SA_CONTEXT processing -----DebugN
808----- BFE SA CONTEXT ID: (SaContextID) -----.DebugN

Event ID 801: SA Context SaContextID was created.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Opcode
Info

Description

SA Context SaContextID was created.

Message #

SA Context %1 was created

Fields #

NameDescription
SaContextID UInt64
Reason UInt32

Event ID 802: SA Context SaContextID: Result=Result.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Opcode
Info

Description

SA Context SaContextID: Result=Result.

Message #

SA Context %1: Result=%2

Fields #

NameDescription
SaContextID UInt64
Result UInt32

Event ID 803: SA Context 5nProtocol:\nLocal Address: SaContextID:LocalMask\nRemote Address: LocalAddr:LocalPort\nProtocol: RemoteAddress.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Opcode
Info

Description

SA Context 5nProtocol:\nLocal Address: SaContextID:LocalMask\nRemote Address: LocalAddr:LocalPort\nProtocol: RemoteAddress.

Message #

SA Context %1:\nLocal Address: %2:%4\nRemote Address: %3:%5\nProtocol: %6

Fields #

NameDescription
SaContextID UInt64
LocalAddr UnicodeString
LocalMask UnicodeString
LocalPort UInt16
RemoteAddress UnicodeString
RemoteMask UnicodeString
RemotePort UInt16
IPProtocol UInt8
LocalTunnelEndpt UnicodeString
RemoteTunnelEndpt UnicodeString

Event ID 804: SA Context SaContextID was deleted.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Opcode
Info

Description

SA Context SaContextID was deleted.

Message #

SA Context %1 was deleted

Fields #

NameDescription
SaContextID UInt64

Event ID 805: SA Context SaContextID: SPI=SPI.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Opcode
Info

Description

SA Context SaContextID: SPI=SPI.

Message #

SA Context %1: SPI=%2

Fields #

NameDescription
SaContextID UInt64
SPI UInt32

Event ID 806: ----- BEGIN BFE_SA_CONTEXT processing -----

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Task
SaContextOperation
Opcode
Start

Description

----- BEGIN BFE_SA_CONTEXT processing -----.

Message #

----- BEGIN BFE_SA_CONTEXT processing -----

Event ID 807: ----- END BFE_SA_CONTEXT processing -----

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Task
SaContextOperation
Opcode
Stop

Description

----- END BFE_SA_CONTEXT processing -----.

Message #

----- END BFE_SA_CONTEXT processing -----

Event ID 808: ----- BFE SA CONTEXT ID: (SaContextID) -----.

#
Provider
Microsoft-Windows-NetworkSecurity
Channel
Debug
Task
SaContextOperation

Description

----- BFE SA CONTEXT ID: (SaContextID) -----.

Message #

----- BFE SA CONTEXT ID: (%1) -----

Fields #

NameDescription
SaContextID UInt64

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 7b702970-90bc-4584-8b20-c0799086ee5a

Defined in fwpuclnt.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3328, captured 2026-06-02
  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.3915, captured 2026-06-02

Downloads