Microsoft-Windows-WFP

40 events across 5 channels

Event	Title	Channel	Sample
1001	WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.	Analytic	N
1003	IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, …	Analytic	N
1005	IPsec: Main Mode Failure	Operational	N
1007	IPsec: Quick Mode Failure	Operational	N
1009	IPsec: Extended Mode Failure	Operational	N
1011	IPsec DoS Protection: Packet Dropped	Analytic	N
1013	IPsec: Main Mode SA Terminated	Operational	Y
1013	IPsec: Main Mode SA Terminated	Debug	Y
1014	IPsec: Main Mode SA Established	Debug	N
1015	IPsec: Main Mode SA Established	Debug	N
1016	IPsec: Extended Mode and Main Mode SAs Established	Debug	N
1017	IPsec: Extended Mode and Main Mode SAs Established	Debug	N
1018	IPsec: Extended Mode and Main Mode SAs Established	Debug	N
1019	IPsec: Extended Mode and Main Mode SAs Established	Debug	N
1020	IPsec DoS Protection Enabled	Operational	N
1021	IPsec DoS Protection Disabled	Operational	N
1022	IPsec DoS Protection failed to create state because the maximum number of …	Operational	N
1023	IPsec: Negotiation Request Initiated	Debug	N
1024	IPsec: Send ISAKMP Packet	Debug	N
1025	IPsec: Receive ISAKMP Packet	Debug	N
1026	WFP: User Mode Error	Debug	N
1027	An IPsec quick mode security association ended.	Operational	N
1027	An IPsec quick mode security association ended.	Debug	N
1028	An IPsec quick mode security association was established.	Operational	N
1029	WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.	Analytic	N
1030	Transaction Watchdog Timeout The filtering engine has exceeded the configured …	Operational	Y
1031	File path trigger increment due to match for FilePath, counter value Counter.	Operational	N
1032	File path trigger decrement due to match for FilePath, counter value Counter.	Operational	N
1033	Modern app trigger increment due to match for AppSID, counter value Counter.	Operational	N
1034	Modern app trigger decrement due to match for AppSID, counter value Counter.	Operational	N
1035	Modern app trigger decrement due to match for SecurityDescriptor, counter value …	Operational	N
1036	Modern app trigger decrement due to match for SecurityDescriptor, counter value …	Operational	N
1037	Trigger increment due to NRPT lookup, counter value Counter.	Operational	N
1038	Trigger decrement due to NRPT idle, counter value Counter.	Operational	N
1039	Trigger increment due to flow creation, counter value: Counter, local address: …	Operational	N
1040	Trigger decrement due to flow deletion, counter value: Counter, local address: …	Operational	N
1041	Connect occurred due to unexpected disconnect, counter value Counter.	Operational	N
1042	Disconnecting after expiration of debounce interval	Operational	N
1043	IPsec: Main Mode SA Established	Operational	N
1044	Received the first packet on low power enabled IKE tunnel with SPI: SPI.	Operational	N

Event ID 1001: WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

WFP: Packet Dropped - Filter Run-Time ID: %14, Layer Run-Time ID: %15

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`ReauthReason` UInt32
`OriginalProfile` UInt32
`CurrentProfile` UInt32
`PacketDirection` UInt32
`Loopback` Boolean
`FilterId` UInt64
`LayerId` UInt16
`vSwitchId` UnicodeString
`SourcevSwitchPort` UInt32
`DestinationvSwitchPort` UInt32
`EnterpriseId` UnicodeString
`PolicyFlags` UInt64
`EffectiveName` UnicodeString

Event ID 1003: IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

IPsec: Packet Dropped - Error Code: %9, Filter Run-Time ID: %12, Layer Run-Time ID: %13

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`FailureStatus` UInt32
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SPI` UInt32
`FilterId` UInt64
`LayerId` UInt16

Event ID 1005: IPsec: Main Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Main Mode Failure.

Message #

IPsec: Main Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`LocalSpn` UnicodeString
`PeerSpn` UnicodeString
`LocalGroupSidCount` UInt32
`LocalGroupSidLength` UInt32
`LocalGroupSids` UnicodeString
`RemoteGroupSidCount` UInt32
`RemoteGroupSidLength` UInt32
`RemoteGroupSids` UnicodeString
`FailureErrorCode` UInt32
`FailurePoint` UInt32
`Flags` UInt32
`KeyingModuleType` UInt32
`MmState` UInt32
`SaRole` UInt32
`MMAuthMethod` UInt32
`EndCertHash` Binary
`MMId` UInt64
`MMFilterId` UInt64
`ProviderContextKey` GUID

Event ID 1007: IPsec: Quick Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Quick Mode Failure.

Message #

IPsec: Quick Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`FailureErrorCode` UInt32
`FailurePoint` UInt32
`KeyingModuleType` UInt32
`QMState` UInt32
`SaRole` UInt32
`SaTrafficType` UInt32
`QMFilterId` UInt64
`MMSaLuid` UInt64
`MMProviderContextKey` GUID

Event ID 1009: IPsec: Extended Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Extended Mode Failure.

Message #

IPsec: Extended Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`LocalSpn` UnicodeString
`PeerSpn` UnicodeString
`LocalGroupSidCount` UInt32
`LocalGroupSidLength` UInt32
`LocalGroupSids` UnicodeString
`RemoteGroupSidCount` UInt32
`RemoteGroupSidLength` UInt32
`RemoteGroupSids` UnicodeString
`FailureErrorCode` UInt32
`FailurePoint` UInt32
`Flags` UInt32
`EMState` UInt32
`SaRole` UInt32
`EMAuthMethod` UInt32
`EndCertHash` Binary
`MMId` UInt64
`QMFilterId` UInt64

Event ID 1011: IPsec DoS Protection: Packet Dropped

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

IPsec DoS Protection: Packet Dropped.

Message #

IPsec DoS Protection: Packet Dropped

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`InternetHostAddress` UInt32
`CorpnetHostAddress` UInt32
`FailureStatus` UInt32
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional

Event ID 1013: IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Operational
Level: Informational
Opcode: Info

Description

IPsec: Main Mode SA Terminated.

Message #

IPsec: Main Mode SA Terminated

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`KeyingModule` UInt32
`SaLuid` UInt64
`ICookie` UInt64
`RCookie` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WFP",
    "guid": "0C478C5B-0351-41B1-8C58-4A6737DA32E3",
    "event_source_name": "",
    "event_id": 1013,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372174293729280,
    "time_created": "2026-03-13T20:18:51.253631+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 6452,
      "thread_id": 3736
    },
    "channel": "Microsoft-Windows-IKE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MainModeLocalAddressLength": 16,
    "MainModeLocalAddress": "020000000A020A0B0000000000000000",
    "MainModePeerAddressLength": 16,
    "MainModePeerAddress": "02000000A04F680A0000000000000000",
    "KeyingModule": 1,
    "SaLuid": 6,
    "ICookie": 3453738395519108605,
    "RCookie": 0
  },
  "message": ""
}

Event ID 1013: IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Terminated.

Message #

IPsec: Main Mode SA Terminated

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`KeyingModule` UInt32
`SaLuid` UInt64
`ICookie` UInt64
`RCookie` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WFP",
    "event_id": 1013,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-03-13T23:09:45.5724923+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-IKE/Operational"
  },
  "event_data": {
    "KeyingModule": "0",
    "RCookie": "0",
    "MainModePeerAddressLength": "16",
    "MainModePeerAddress": "020000000A0214290000000000000000",
    "MainModeLocalAddressLength": "16",
    "SaLuid": "1",
    "ICookie": "12944197821115802604",
    "MainModeLocalAddress": "020000000A020A0B0000000000000000"
  }
}

Event ID 1014: IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`LocalSpn` UnicodeString
`PeerSpn` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`KeyingModule` UInt32
`AuthenticationMethodType` UInt32
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64

Event ID 1015: IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString
`LocalCertShaThumbprintLength` UInt32
`LocalCertShaThumbprint` Binary
`LocalCertDnIssuer` UnicodeString
`LocalCertDnRoot` UnicodeString
`PeerCertDnSubject` UnicodeString
`PeerCertShaThumbprintLength` UInt32
`PeerCertShaThumbprint` Binary
`PeerCertDnIssuer` UnicodeString
`PeerCertDnRoot` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`KeyingModule` UInt32
`AuthenticationMethodType` UInt32
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64

Event ID 1016: IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString
`LocalCertShaThumbprintLength` UInt32
`LocalCertShaThumbprint` Binary
`LocalCertDnIssuer` UnicodeString
`LocalCertDnRoot` UnicodeString
`PeerCertDnSubject` UnicodeString
`PeerCertShaThumbprintLength` UInt32
`PeerCertShaThumbprint` Binary
`PeerCertDnIssuer` UnicodeString
`PeerCertDnRoot` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64
`LocalUmCertDnSubject` UnicodeString
`LocalUmCertShaThumbprintLength` UInt32
`LocalUmCertShaThumbprint` Binary
`LocalUmCertDnIssuer` UnicodeString
`LocalUmCertDnRoot` UnicodeString
`PeerUmCertDnSubject` UnicodeString
`PeerUmCertShaThumbprintLength` UInt32
`PeerUmCertShaThumbprint` Binary
`PeerUmCertDnIssuer` UnicodeString
`PeerUmCertDnRoot` UnicodeString
`UMImpersonation` UInt32
`QMFilterId` UInt64

Event ID 1017: IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString
`LocalCertShaThumbprintLength` UInt32
`LocalCertShaThumbprint` Binary
`LocalCertDnIssuer` UnicodeString
`LocalCertDnRoot` UnicodeString
`PeerCertDnSubject` UnicodeString
`PeerCertShaThumbprintLength` UInt32
`PeerCertShaThumbprint` Binary
`PeerCertDnIssuer` UnicodeString
`PeerCertDnRoot` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64
`UMLocalSPN` UnicodeString
`UMPeerSPN` UnicodeString
`UMAuthenticationMethodType` UInt32
`UMImpersonation` UInt32
`QMFilterId` UInt64

Event ID 1018: IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalSPN` UnicodeString
`PeerSPN` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`AuthenticationMethodType` UInt32
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64
`LocalUmCertDnSubject` UnicodeString
`LocalUmCertShaThumbprintLength` UInt32
`LocalUmCertShaThumbprint` Binary
`LocalUmCertDnIssuer` UnicodeString
`LocalUmCertDnRoot` UnicodeString
`PeerUmCertDnSubject` UnicodeString
`PeerUmCertShaThumbprintLength` UInt32
`PeerUmCertShaThumbprint` Binary
`PeerUmCertDnIssuer` UnicodeString
`PeerUmCertDnRoot` UnicodeString
`UMImpersonation` UInt32
`QMFilterId` UInt64

Event ID 1019: IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalSpn` UnicodeString
`PeerSpn` UnicodeString
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`AuthenticationMethodType` UInt32
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64
`UMLocalSPN` UnicodeString
`UMPeerSPN` UnicodeString
`UMAuthenticationMethodType` UInt32
`UMImpersonation` UInt32
`QMFilterId` UInt64

Event ID 1020: IPsec DoS Protection Enabled

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection Enabled.

Message #

IPsec DoS Protection Enabled

Event ID 1021: IPsec DoS Protection Disabled

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection Disabled.

Message #

IPsec DoS Protection Disabled

Event ID 1022: IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached.

Message #

IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Event ID 1023: IPsec: Negotiation Request Initiated

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Negotiation Request Initiated.

Message #

IPsec: Negotiation Request Initiated

Fields #

Name	Description
`KeyingModule` AnsiString
`AcquireContext` UInt64
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Mode` UnicodeString
`FilterId` UInt64
`IPProtocol` UInt32
`InterfaceLuid` UInt64
`ProfileId` UInt32
`LocalUdpEncapPort` UInt16
`RemoteUdpEncapPort` UInt16
`MMTargetName` UnicodeString
`EMTargetName` UnicodeString
`NumTokens` UInt32
`Token1Type` UnicodeString
`Token1Principal` UnicodeString
`Token1Mode` UnicodeString
`Token1` UInt64
`Token2Type` UnicodeString
`Token2Principal` UnicodeString
`Token2Mode` UnicodeString
`Token2` UInt64
`Token3Type` UnicodeString
`Token3Principal` UnicodeString
`Token3Mode` UnicodeString
`Token3` UInt64
`Token4Type` UnicodeString
`Token4Principal` UnicodeString
`Token4Mode` UnicodeString
`Token4` UInt64
`VirtualIfTunnelId` UInt64
`TrafficSelectorId` UInt64
`Flags` UInt32
`RekeySPI` UInt32
`OrigVirtualIfTunnelId` UInt64
`PacketLocalAddressLength` UInt32
`PacketLocalAddress` Binary
`PacketRemoteAddressLength` UInt32
`PacketRemoteAddress` Binary
`PacketIPProtocol` UInt32
`PacketInterfaceLuid` UInt64
`PacketProfileId` UInt32

Event ID 1024: IPsec: Send ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Send ISAKMP Packet.

Message #

IPsec: Send ISAKMP Packet

Fields #

Name	Description
`ICookie` AnsiString
`RCookie` AnsiString
`ExchangeType` AnsiString
`Length` UInt32
`NextPayload` AnsiString
`Flags` UInt8
`MessageID` UInt32
`LocalAddress` UnicodeString
`LocalPort` UInt32
`LocalProtocol` UInt32
`RemoteAddress` UnicodeString
`RemotePort` UInt32
`RemoteProtocol` UInt32
`InterfaceLuid` UInt64

Event ID 1025: IPsec: Receive ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Receive ISAKMP Packet.

Message #

IPsec: Receive ISAKMP Packet

Fields #

Name	Description
`ICookie` AnsiString
`RCookie` AnsiString
`ExchangeType` AnsiString
`Length` UInt32
`NextPayload` AnsiString
`Flags` UInt8
`MessageID` UInt32
`LocalAddress` UnicodeString
`LocalPort` UInt32
`LocalProtocol` UInt32
`RemoteAddress` UnicodeString
`RemotePort` UInt32
`RemoteProtocol` UInt32
`InterfaceLuid` UInt64
`ProfileId` UInt32

Event ID 1026: WFP: User Mode Error

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

WFP: User Mode Error.

Message #

WFP: User Mode Error

Fields #

Name	Description
`Function` AnsiString
`ErrorCode` UInt32

Event ID 1027: An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

An IPsec quick mode security association ended.

Message #

An IPsec quick mode security association ended.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`LocalAddressMask` UnicodeString
`LocalTunnelEndpointLength` UInt32
`LocalTunnelEndpoint` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`RemoteAddressMask` UnicodeString
`RemoteTunnelEndpointLength` UInt32
`RemoteTunnelEndpoint` Binary
`IPProtocol` UInt32
`QMSaLuid` UInt64
`VirtualIFTunnelId` UInt64
`VirtualIFTrafficSelectorId` UInt64
`InboundSPI` UInt32
`OutboundSPI` UInt32

Event ID 1027: An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

An IPsec quick mode security association ended.

Message #

An IPsec quick mode security association ended.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`LocalAddressMask` UnicodeString
`LocalTunnelEndpointLength` UInt32
`LocalTunnelEndpoint` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`RemoteAddressMask` UnicodeString
`RemoteTunnelEndpointLength` UInt32
`RemoteTunnelEndpoint` Binary
`IPProtocol` UInt32
`QMSaLuid` UInt64
`VirtualIFTunnelId` UInt64
`VirtualIFTrafficSelectorId` UInt64
`InboundSPI` UInt32
`OutboundSPI` UInt32

Event ID 1028: An IPsec quick mode security association was established.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

An IPsec quick mode security association was established.

Message #

An IPsec quick mode security association was established.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`LocalAddressMask` UnicodeString
`LocalTunnelEndpointLength` UInt32
`LocalTunnelEndpoint` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`RemoteAddressMask` UnicodeString
`RemoteTunnelEndpointLength` UInt32
`RemoteTunnelEndpoint` Binary
`IPProtocol` UInt32
`KeyingModuleName` UInt8
`AHAuthType` UInt8
`ESPAuthType` UInt8
`ESPCipherType` UInt8
`LifetimeSeconds` UInt32
`LifetimeKilobytes` UInt32
`LifetimePackets` UInt32
`Mode` UInt8
`Role` UInt8
`TransportFilterId` UInt64
`MMSaLuid` UInt64
`QMSaLuid` UInt64
`InboundSPI` UInt32
`OutboundSPI` UInt32
`VirtualIFTunnelId` UInt64
`VirtualIFTrafficSelectorId` UInt64
`RekeySPI` UInt32

Event ID 1029: WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

WFP: Packet Dropped - Filter Run-Time ID: %10, Layer Run-Time ID: %11

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`EtherType` UInt16
`MediaType` UInt32
`InterfaceType` UInt32
`VlanTag` UInt16
`FilterId` UInt64
`LayerId` UInt16
`vSwitchId` UnicodeString
`SourcevSwitchPort` UInt32
`DestinationvSwitchPort` UInt32

Event ID 1030: Transaction Watchdog Timeout The filtering engine has exceeded the configured threshold to process a transaction.

Provider: Microsoft-Windows-WFP
Channel: Operational
Level: Warning
Opcode: Info

Description

Transaction Watchdog Timeout.

Message #

Transaction Watchdog Timeout
The filtering engine has exceeded the configured threshold to process a transaction. This could indicate a suboptimal policy configuration that may cause temporary network outages.
    Owning Process ID: %1
    Transaction Time (msec): %2
    Transaction Commit Time (msec): %3
    Configured Threshold (msec): %4

Fields #

Name	Description
`ProcessId` UInt32
`TxnTimeInMSec` UInt32
`CommitTimeInMSec` UInt32
`WatchdogTimeoutInMSec` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WFP",
    "guid": "{0C478C5B-0351-41B1-8C58-4A6737DA32E3}",
    "event_source_name": "",
    "event_id": 1030,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686293305294848,
    "time_created": "2026-05-29T01:25:16.8612526+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 1844,
      "thread_id": 2764
    },
    "channel": "Microsoft-Windows-WFP/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ProcessId": "1844",
    "TxnTimeInMSec": "1359",
    "CommitTimeInMSec": "0",
    "WatchdogTimeoutInMSec": "500"
  },
  "message": "Transaction Watchdog Timeout\r\nThe filtering engine has exceeded the configured threshold to process a transaction. This could indicate a suboptimal policy configuration that may cause temporary network outages.\r\n    Owning Process ID: 1844\r\n    Transaction Time (msec): 1359\r\n    Transaction Commit Time (msec): 0\r\n    Configured Threshold (msec): 500"
}

Event ID 1031: File path trigger increment due to match for FilePath, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

File path trigger increment due to match for FilePath, counter value Counter.

Message #

File path trigger increment due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`FilePath` UnicodeString

Event ID 1032: File path trigger decrement due to match for FilePath, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

File path trigger decrement due to match for FilePath, counter value Counter.

Message #

File path trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`FilePath` UnicodeString

Event ID 1033: Modern app trigger increment due to match for AppSID, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger increment due to match for AppSID, counter value Counter.

Message #

Modern app trigger increment due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`AppSID` SID

Event ID 1034: Modern app trigger decrement due to match for AppSID, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for AppSID, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`AppSID` SID

Event ID 1035: Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`SecurityDescriptor` UnicodeString

Event ID 1036: Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32
`SecurityDescriptor` UnicodeString

Event ID 1037: Trigger increment due to NRPT lookup, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger increment due to NRPT lookup, counter value Counter.

Message #

Trigger increment due to NRPT lookup, counter value %1

Fields #

Name	Description
`Counter` UInt32

Event ID 1038: Trigger decrement due to NRPT idle, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger decrement due to NRPT idle, counter value Counter.

Message #

Trigger decrement due to NRPT idle, counter value %1

Fields #

Name	Description
`Counter` UInt32

Event ID 1039: Trigger increment due to flow creation, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger increment due to flow creation, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Message #

Trigger increment due to flow creation, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields #

Name	Description
`Counter` UInt32
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`IPProtocol` UInt32

Event ID 1040: Trigger decrement due to flow deletion, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger decrement due to flow deletion, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Message #

Trigger decrement due to flow deletion, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields #

Name	Description
`Counter` UInt32
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`IPProtocol` UInt32

Event ID 1041: Connect occurred due to unexpected disconnect, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Connect occurred due to unexpected disconnect, counter value Counter.

Message #

Connect occurred due to unexpected disconnect, counter value %1

Fields #

Name	Description
`Counter` UInt32

Event ID 1042: Disconnecting after expiration of debounce interval

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Disconnecting after expiration of debounce interval.

Message #

Disconnecting after expiration of debounce interval

Event ID 1043: IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32
`MainModeLocalAddress` Binary
`MainModePeerAddressLength` UInt32
`MainModePeerAddress` Binary
`KeyingModule` UInt32
`AuthenticationMethodType` UInt32
`EncryptionAlgorithm` UInt32
`AuthenticationAlgorithm` UInt32
`DiffieHellmanGroup` UInt32
`LifetimeMinutes` UInt32
`QMLimit` UInt32
`Role` UInt32
`Impersonation` UInt32
`MMFilterId` UInt64
`SaLuid` UInt64
`ProviderContextKey` GUID
`VirtualIfTunnelId` UInt64
`ICookie` UInt64
`RCookie` UInt64

Event ID 1044: Received the first packet on low power enabled IKE tunnel with SPI: SPI.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Received the first packet on low power enabled IKE tunnel with SPI: SPI.

Message #

Received the first packet on low power enabled IKE tunnel with SPI: %9

Fields #

Name	Description
`Timestamp` FILETIME
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`ScopeId` UInt32
`AppId` UnicodeString
`UserSID` SID
`SPI` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 0c478c5b-0351-41b1-8c58-4a6737da32e3

Defined in fwpkclnt.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4647, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.6584, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)