Microsoft-Windows-Windows Firewall With Advanced Security

171 events across 8 channels

Event	Title	Channel	Sample
0	Event ID 0	FirewallDiagnostics	Y
2000	The following settings were applied to the Windows Defender Firewall at startup.	FirewallVerbose	Y
2001	The following per profile settings were applied by Windows Defender Firewall.	FirewallVerbose	Y
2002	A Windows Defender Firewall setting has changed.	Firewall	Y
2003	A Windows Defender Firewall setting in the Profiles profile has changed.	Firewall	Y
2004	A rule has been added to the Windows Defender Firewall exception list.	Firewall	Y
2005	A rule has been modified in the Windows Defender Firewall exception list.	Firewall	Y
2006	A rule has been deleted in the Windows Defender Firewall exception list.	Firewall	Y
2007	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose	Y
2008	Windows Defender Firewall Group Policy settings have changed.	Firewall	Y
2009	The Windows Defender Firewall service failed to load Group Policy.	Firewall	N
2010	Network profile changed on an interface.	Firewall	Y
2011	Windows Defender Firewall was unable to notify the user that it blocked an …	Firewall	Y
2012	A connection security rule was added to IPsec settings.	ConnectionSecurity	Y
2013	A connection security rule was modified in IPsec settings.	ConnectionSecurity	Y
2014	A connection security rule was deleted from IPsec settings.	ConnectionSecurity	Y
2015	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose	N
2016	A main mode rule has been added in the IPsec settings.	ConnectionSecurity	N
2017	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity	N
2018	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity	N
2019	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	N
2020	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity	N
2021	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity	N
2022	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity	N
2023	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	Y
2024	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity	N
2025	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity	N
2026	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity	N
2027	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	Y
2028	An authentication set has been added to IPsec settings.	ConnectionSecurity	Y
2029	An authentication set has been modified in IPsec settings.	ConnectionSecurity	N
2030	An authentication set has been deleted from IPsec settings.	ConnectionSecurity	Y
2031	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose	Y
2032	Windows Defender Firewall has been reset to its default configuration.	Firewall	Y
2033	All rules have been deleted from the Windows Defender Firewall configuration on …	Firewall	N
2034	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity	N
2035	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity	N
2036	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity	N
2037	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity	N
2038	Windows Defender Firewall did not apply the following rule because the rule was …	ConnectionSecurity	N
2039	Http Proxies Changed.	Network Isolation Operational	Y
2040	Corp Subnets Changed.	Network Isolation Operational	Y
2041	Capability Changed.	Network Isolation Operational	Y
2042	Config Read Failed.	System	N
2043	The Windows Firewall Service failed to initialize a component.	Firewall	N
2044	Added Dynamic Keyword Address.	Firewall	N
2045	Deleted Dynamic Keyword Address.	Firewall	N
2046	Updated Dynamic Keyword Address.	Firewall	N
2047	Tenant Restrictions Policy Update.	Firewall	Y
2048	Added Dynamic Keyword Address.	Firewall	N
2049	Deleted Dynamic Keyword Address.	Firewall	N
2050	Updated Dynamic Keyword Address.	Firewall	N
2051	Tenant Restrictions Policy Update.	Firewall	Y
2051	Tenant Restrictions Policy Update	Operational	Y
2052	A rule has been deleted in the Windows Defender Firewall exception list.	Firewall	Y
2052	A rule has been deleted in the Windows Defender Firewall exception list	Operational	Y
2053	A connection security rule was deleted from IPsec settings.	ConnectionSecurity	N
2053	A connection security rule was deleted from IPsec settings	Operational	N
2054	A main mode rule has been deleted in the IPsec settings.	ConnectionSecurity	N
2054	A main mode rule has been deleted in the IPsec settings	Operational	N
2055	A phase 1 crypto set was deleted from IPsec settings.	ConnectionSecurity	N
2055	A phase 1 crypto set was deleted from IPsec settings	Operational	N
2056	A phase 2 crypto set was deleted from IPsec settings.	ConnectionSecurity	N
2056	A phase 2 crypto set was deleted from IPsec settings	Operational	N
2057	All connection security rules have been deleted from the IPsec configuration on …	ConnectionSecurity	N
2057	All connection security rules have been deleted from the IPsec configuration on …	Operational	N
2058	All main mode rules have been deleted from the IPsec configuration on this …	ConnectionSecurity	N
2058	All main mode rules have been deleted from the IPsec configuration on this …	Operational	N
2059	All rules have been deleted from the Windows Defender Firewall configuration on …	Firewall	Y
2059	All rules have been deleted from the Windows Defender Firewall configuration on …	Operational	Y
2060	Windows Defender Firewall has been reset to its default configuration.	Firewall	N
2060	Windows Defender Firewall has been reset to its default configuration	Operational	N
2061	A connection security rule was added to IPsec settings.	ConnectionSecurity	N
2061	A connection security rule was added to IPsec settings	Operational	N
2062	A connection security rule was modified in IPsec settings.	ConnectionSecurity	N
2062	A connection security rule was modified in IPsec settings	Operational	N
2063	A connection security rule was added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose	N
2063	A connection security rule was added to IPsec settings when Windows Defender …	Operational	N
2064	An authentication set has been added to IPsec settings.	ConnectionSecurity	N
2064	An authentication set has been added to IPsec settings	Operational	N
2065	An authentication set has been modified in IPsec settings.	ConnectionSecurity	N
2065	An authentication set has been modified in IPsec settings	Operational	N
2066	An authentication set has been added to IPsec settings when Windows Defender …	ConnectionSecurityVerbose	Y
2066	An authentication set has been added to IPsec settings when Windows Defender …	Operational	Y
2067	An authentication set has been deleted from IPsec settings.	ConnectionSecurity	N
2067	An authentication set has been deleted from IPsec settings	Operational	N
2068	A main mode rule has been added in the IPsec settings.	ConnectionSecurity	N
2068	A main mode rule has been added in the IPsec settings	Operational	N
2069	A main mode rule has been modified in the IPsec settings.	ConnectionSecurity	N
2069	A main mode rule has been modified in the IPsec settings	Operational	N
2070	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	N
2070	A main mode rule was added to the IPsec settings when Windows Defender Firewall …	Operational	N
2071	A rule has been added to the Windows Defender Firewall exception list.	Firewall	Y
2071	A rule has been added to the Windows Defender Firewall exception list	Operational	N
2072	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose	Y
2072	A rule has been listed when the Windows Defender Firewall started	Operational	N
2073	A rule has been modified in the Windows Defender Firewall exception list.	Firewall	Y
2073	A rule has been modified in the Windows Defender Firewall exception list	Operational	N
2074	All authentication sets have been deleted from the IPsec configuration on this …	ConnectionSecurity	N
2074	All authentication sets have been deleted from the IPsec configuration on this …	Operational	N
2075	All crypto sets have been deleted from the IPsec configuration on this computer.	ConnectionSecurity	N
2075	All crypto sets have been deleted from the IPsec configuration on this computer	Operational	N
2076	A phase 1 crypto set was added to IPsec settings.	ConnectionSecurity	N
2076	A phase 1 crypto set was added to IPsec settings	Operational	N
2077	A phase 1 crypto set was modified in IPsec settings.	ConnectionSecurity	N
2077	A phase 1 crypto set was modified in IPsec settings	Operational	N
2078	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	Y
2078	A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall …	Operational	Y
2079	A phase 2 crypto set was added to IPsec settings.	ConnectionSecurity	N
2079	A phase 2 crypto set was added to IPsec settings	Operational	N
2080	A phase 2 crypto set was modified in IPsec settings.	ConnectionSecurity	N
2080	A phase 2 crypto set was modified in IPsec settings	Operational	N
2081	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	ConnectionSecurityVerbose	Y
2081	A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall …	Operational	Y
2082	A Windows Defender Firewall setting in the Profiles profile has changed.	Firewall	Y
2082	A Windows Defender Firewall setting in the Profiles profile has changed	Operational	N
2083	A Windows Defender Firewall setting has changed.	Firewall	Y
2083	A Windows Defender Firewall setting has changed	Operational	Y
2084	Added a Duplicate Rule.	Firewall	Y
2084	Added a Duplicate Rule	Operational	Y
2085	Created Hyper-V Port.	Firewall	N
2085	Created Hyper-V Port	Operational	N
2086	Updated Hyper-V Port.	Firewall	N
2086	Updated Hyper-V Port	Operational	N
2087	Deleted Hyper-V Port.	Firewall	N
2087	Deleted Hyper-V Port	Operational	N
2088	A Hyper-V Firewall VM Setting has changed.	Firewall	N
2088	A Hyper-V Firewall VM Setting has changed	Operational	N
2089	A Hyper-V Firewall VM Setting has reset.	Firewall	N
2089	A Hyper-V Firewall VM Setting has reset	Operational	N
2090	A Hyper-V rule has been added.	Firewall	N
2090	A Hyper-V rule has been added	Operational	N
2091	A Hyper-V rule has been updated.	Firewall	N
2091	A Hyper-V rule has been updated	Operational	N
2092	A Hyper-V rule has been deleted.	Firewall	N
2092	A Hyper-V rule has been deleted	Operational	N
2093	A error occured while initializing a Hyper-V port.	Firewall	N
2093	A error occured while initializing a Hyper-V port	Operational	N
2094	A error occured while processing a Hyper-V rule.	Firewall	N
2094	A error occured while processing a Hyper-V rule	Operational	N
2095	A Hyper-V VM Creator has been registered with the firewall service.	Firewall	N
2095	A Hyper-V VM Creator has been registered with the firewall service	Operational	N
2096	A Hyper-V VM Creator has been unregistered with the firewall service.	Firewall	N
2096	A Hyper-V VM Creator has been unregistered with the firewall service	Operational	N
2097	A rule has been added to the Windows Defender Firewall exception list.	Firewall	Y
2097	A rule has been added to the Windows Defender Firewall exception list	Operational	Y
2098	A rule has been listed when the Windows Defender Firewall started.	FirewallVerbose	Y
2098	A rule has been listed when the Windows Defender Firewall started	Operational	Y
2099	A rule has been modified in the Windows Defender Firewall exception list.	Firewall	Y
2099	A rule has been modified in the Windows Defender Firewall exception list	Operational	Y
2100	A proxy is being used with Network Isolation, and is listed as a cloud resource.	Operational	N
2101	A Hyper-V Firewall Profile Setting has changed.	Firewall	N
2101	A Hyper-V Firewall Profile Setting has changed	Operational	N
2102	A Hyper-V Firewall Profile Setting has reset.	Firewall	N
2102	A Hyper-V Firewall Profile Setting has reset	Operational	N
2103	A commit of an atomic transaction failed.	Firewall	N
2103	A commit of an atomic transaction failed	Operational	N
2104	The commit of an add operation in CSP failed.	Firewall	N
2104	The commit of an add operation in CSP failed	Operational	N
2105	The commit of an delete operation in CSP failed.	Firewall	N
2105	The commit of an delete operation in CSP failed	Operational	N
2106	The commit of a set operation in CSP failed.	Firewall	N
2106	The commit of a set operation in CSP failed	Operational	N
2107	A rollback of an atomic transaction completed.	Firewall	N
2107	A rollback of an atomic transaction completed	Operational	N
2108	The rollback of a delete operation completed.	Firewall	N
2108	The rollback of a delete operation completed	Operational	N
2109	The rollback of an add operation completed.	Firewall	N
2109	The rollback of an add operation completed	Operational	N
2110	The rollback of a set operation completed.	Firewall	N
2110	The rollback of a set operation completed	Operational	N

Event ID 0

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallDiagnostics
Level: Informational

Fields #

Name	Description
`Name`
`callersAppCommandLine`
`callerFunctionName`
`threadWaitAndLockHoldTimeMs`
`fwLockHoldTimeMs`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 0,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 0,
    "time_created": "2026-03-13T16:56:23.124535+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1944,
      "thread_id": 10968
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Name": "FwThreadWaitTimeAndHoldTimeForFwLock",
    "callersAppCommandLine": "MPSSVC",
    "callerFunctionName": "FwGetConSecRuleIdFromFilterId",
    "threadWaitAndLockHoldTimeMs": 157578,
    "fwLockHoldTimeMs": 157578
  },
  "message": ""
}

Event ID 2000: The following settings were applied to the Windows Defender Firewall at startup.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

The following settings were applied to the Windows Defender Firewall at startup.

Message #

The following settings were applied to the Windows Defender Firewall at startup

	Current Profile: %1
	IPsec SA Idle time: %2
	IPsec preshared key encoding: %3
	IPsec Exempt: %4
	IPsec CRL Check: %5
	IPsec Through NAT: %6
	Policy Version Supported: %7
	Policy Version: %8
	Binary Version Supported: %9
	Stateful FTP: %10
	Group Policy Applied: %11
	Remote Machine Authorization List: %12
	Remote UserAuthorization List: %13

Fields #

Name	Description
`CurrentProfile` UInt32
`SAIdleTime` UInt32
`PresharedKeyEncoding` UInt32
`IPSecExempt` UInt32
`CrlCheck` UInt32
`IPSecThroughNAT` UInt32
`PolicyVersionSupported` UInt32
`PolicyVersion` UInt32
`BinaryVersionSupported` UInt32
`DisableStatefulFTP` UInt32
`GroupPolicyApplied` UInt32
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EnableAuditMode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.415313+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "CurrentProfile": 4,
    "SAIdleTime": 300,
    "PresharedKeyEncoding": 1,
    "IPSecExempt": 9,
    "CrlCheck": 0,
    "IPSecThroughNAT": 0,
    "PolicyVersionSupported": 544,
    "PolicyVersion": 544,
    "BinaryVersionSupported": 544,
    "DisableStatefulFTP": 0,
    "GroupPolicyApplied": 0,
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": ""
  },
  "message": ""
}

Event ID 2001: The following per profile settings were applied by Windows Defender Firewall.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

The following per profile settings were applied by Windows Defender Firewall.

Message #

The following per profile settings were applied by Windows Defender Firewall 

	Profile: %1
	Operational Mode: %2
	Stealth Mode: %3
	Block all Incoming Connections: %4
	Unicast response to multicast broadcast: %5
	Log dropped packets: %6
	Log successful connections: %7
	Log ignored rules: %8
	Inbound Notifications: %9
	Allow Local Policy Merge: %12
	Allow Local IPsec Policy Merge: %13
	Default Outbound Action: %14
	Default Inbound Action: %15
	Remote Administration: %16
	Stealth Mode IPsec Secured Packet Exemption: %21
	Maximum Log file size: %17
	Log File path: %18
	Allow User preferred merge of Authorized Applications: %10
	Allow User preferred merge of Globally open ports: %11

Fields #

Name	Description
`Profile` UInt32
`OpMode` UInt32
`DisableStealthMode` UInt32
`BlockAllInbound` UInt32
`DisableUnicastResponseToMultiCastBroadCast` UInt32
`LogDroppedPackets` UInt32
`LogSuccessfulConnections` UInt32
`LogIgnoredRules` UInt32
`DisableInboundNotifications` UInt32
`AllowUserPrefMergeForApps` UInt32
`AllowUserPrefMergeForGlobalPorts` UInt32
`AllowLocalPolicyMerge` UInt32
`AllowIPSecPolicyMerge` UInt32
`DefaultOutboundAction` UInt32
`DefaultInboundAction` UInt32
`RemoteAdministrationEnabled` UInt32
`MaxLogFileSize` UInt32
`LogFilePath` UnicodeString
`DisabledInterfacesSize` UInt32
`DisabledInterfaces` Binary
`DisableStealthModeIPsecSecuredPacketExemption` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.414064+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profile": 1,
    "OpMode": 1,
    "DisableStealthMode": 0,
    "BlockAllInbound": 0,
    "DisableUnicastResponseToMultiCastBroadCast": 0,
    "LogDroppedPackets": 0,
    "LogSuccessfulConnections": 0,
    "LogIgnoredRules": 0,
    "DisableInboundNotifications": 0,
    "AllowUserPrefMergeForApps": 1,
    "AllowUserPrefMergeForGlobalPorts": 1,
    "AllowLocalPolicyMerge": 1,
    "AllowIPSecPolicyMerge": 0,
    "DefaultOutboundAction": 0,
    "DefaultInboundAction": 1,
    "RemoteAdministrationEnabled": 0,
    "MaxLogFileSize": 2048,
    "LogFilePath": "%systemroot%\\system32\\LogFiles\\Firewall\\pfirewall.log",
    "DisabledInterfacesSize": 0,
    "DisabledInterfaces": "",
    "DisableStealthModeIPsecSecuredPacketExemption": 0
  },
  "message": ""
}

Event ID 2002: A Windows Defender Firewall setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Message #

A Windows Defender Firewall setting has changed.

New Setting:
	Type: %1
	Value: %4
	Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`SettingType` UInt32
`SettingValueSize` UInt32
`SettingValue` Binary
`SettingValueDisplay` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T05:12:17.0650677+00:00",
    "event_record_id": 437,
    "correlation": {},
    "execution": {
      "process_id": 1796,
      "thread_id": 4012
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SettingType": "2",
    "SettingValueSize": "4",
    "SettingValue": "01000000",
    "SettingValueDisplay": "(null)",
    "Origin": "1",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": ""
  },
  "message": "A Windows Defender Firewall setting has changed.\r\n\r\nNew Setting:\r\n\tType:\tCurrent Profile\r\n\tValue:\t(null)\r\n\tModifying User:\tS-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052\r\n\tModifying Application:\t"
}

Event ID 2003: A Windows Defender Firewall setting in the Profiles profile has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (Olaf Hartong)
Opcode: Info

Description

A Windows Defender Firewall setting in the Profiles profile has changed.

Message #

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type: %2
	Value: %5
	Modifying User: %7
	Modifying Application: %8

Fields #

Name	Description	Rules
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32		2 detection rules
`SettingValueSize` UInt32
`SettingValue` Binary		1 detection rule
`SettingValueString` UnicodeString		1 detection rule
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2003,
    "version": "0",
    "level": "4",
    "task": "0",
    "opcode": "0",
    "keywords": 9223372036854775808,
    "time_created": "2021-06-03T19:39:52.893086100Z",
    "event_record_id": "912",
    "correlation": {},
    "execution": {
      "process_id": "1000",
      "thread_id": "5464"
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "fs01.offsec.lan",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profiles": "1",
    "SettingType": "1",
    "SettingValueSize": "4",
    "SettingValue": "01000000",
    "SettingValueString": "Yes",
    "Origin": "1",
    "ModifyingUser": "S-1-5-21-4230534742-2542757381-3142984815-1111",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  }
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 2004: A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23

Fields #

Name	Description	Rules
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific	24 detection rules
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString		2 detection rules
`RemotePorts` UnicodeString		1 detection rule
`Action` UInt32	Firewall action: 3 for allow, 2 for block	4 detection rules
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString		1 detection rule
`RemoteAddresses` UnicodeString		1 detection rule
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule	11 detection rules
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223369837831520256,
    "time_created": "2026-06-13T05:51:26.0110135+00:00",
    "event_record_id": 406,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 2676
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{61396F04-DAD2-43D8-ACA3-3C67F2BB685D}",
    "RuleName": "WinDefend Outbound for TCP",
    "Origin": "1",
    "ApplicationPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MsMpEng.exe",
    "ServiceName": "WinDefend",
    "Direction": "2",
    "Protocol": "6",
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": "3",
    "Profiles": "2147483647",
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": "1",
    "Active": "1",
    "EdgeTraversal": "0",
    "LooseSourceMapped": "0",
    "SecurityOptions": "0",
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MsMpEng.exe",
    "SchemaVersion": "543",
    "RuleStatus": "65536",
    "LocalOnlyMapped": "0"
  },
  "message": "A rule has been added to the Windows Defender Firewall exception list.\r\n\r\nAdded Rule:\r\n\tRule ID:\t{61396F04-DAD2-43D8-ACA3-3C67F2BB685D}\r\n\tRule Name:\tWinDefend Outbound for TCP\r\n\tOrigin:\tLocal\r\n\tActive:\tYes\r\n\tDirection:\tOutbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tAllow\r\n\tApplication Path:\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26050.15-0\\MsMpEng.exe\r\n\tService Name:\tWinDefend\r\n\tProtocol:\tTCP\r\n\tSecurity Options:\tNone\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MsMpEng.exe"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Firewall rule added using PowerShell or CMD source medium: Detects scenarios where a firewall rule is added using PowerShell or CMD.
OpenSSH server firewall configuration on Windows (firewall) source high: Detects scenarios where an attacker configure the Windows firewall to allow incoming connections to perform stealthy lateral movement.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd364408(v=ws.10)
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2004-firewall.md

Event ID 2005: A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23

Fields #

Name	Description	Rules
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific	8 detection rules
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223369837831520256,
    "time_created": "2026-06-13T05:45:35.5333668+00:00",
    "event_record_id": 398,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 312
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}",
    "RuleName": "f0bb9c30-7878-428e-bff8-49d4e873cb3f",
    "Origin": "1",
    "ApplicationPath": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
    "ServiceName": "",
    "Direction": "1",
    "Protocol": "17",
    "LocalPorts": "5353",
    "RemotePorts": "*",
    "Action": "3",
    "Profiles": "2147483647",
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "Microsoft Edge",
    "Flags": "1",
    "Active": "1",
    "EdgeTraversal": "0",
    "LooseSourceMapped": "0",
    "SecurityOptions": "0",
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe",
    "SchemaVersion": "543",
    "RuleStatus": "65536",
    "LocalOnlyMapped": "0"
  },
  "message": "A rule has been modified in the Windows Defender Firewall exception list.\r\n\r\nModified Rule:\r\n\tRule ID:\t{FF8303C2-8C97-48FB-9B70-CEF9F3C8209C}\r\n\tRule Name:\tf0bb9c30-7878-428e-bff8-49d4e873cb3f\r\n\tOrigin:\tLocal\r\n\tActive:\tYes\r\n\tDirection:\tInbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tAllow\r\n\tApplication Path:\tC:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\r\n\tService Name:\t\r\n\tProtocol:\tUDP\r\n\tSecurity Options:\tNone\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{A0BAEC76-A04A-4AF1-BF12-3AC51BC4A16B}\\EDGEMITMP_E2E83.tmp\\setup.exe"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	1 rule	sigma

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2005-firewall.md

Event ID 2006: A rule has been deleted in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Message #

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description	Rules
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule	6 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223369837831520256,
    "time_created": "2026-06-13T05:51:25.9396591+00:00",
    "event_record_id": 405,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 2676
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{30AE118A-CA0B-440E-8F32-B145DDBD776B}",
    "RuleName": "WinDefend Outbound for TCP",
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MsMpEng.exe"
  },
  "message": "A rule has been deleted in the Windows Defender Firewall exception list.\r\n\r\nDeleted Rule:\r\n\tRule ID:\t{30AE118A-CA0B-440E-8F32-B145DDBD776B}\r\n\tRule Name:\tWinDefend Outbound for TCP\r\n\tModifying User:\tS-1-5-18\r\n\tModifying Application:\tC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.26040.7-0\\MsMpEng.exe"
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2006-firewall.md

Event ID 2007: A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T21:48:08.634627+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "PlayTo-QWave-Out-TCP-PlayToScope",
    "RuleName": "Cast to Device functionality (qWave-TCP-Out)",
    "Origin": 1,
    "ApplicationPath": "C:\\Windows\\system32\\svchost.exe",
    "ServiceName": "Qwave",
    "Direction": 2,
    "Protocol": 6,
    "LocalPorts": "*",
    "RemotePorts": "2177",
    "Action": 3,
    "Profiles": 6,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-36001",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0
  },
  "message": ""
}

Event ID 2008: Windows Defender Firewall Group Policy settings have changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall Group Policy settings have changed. The new settings have been applied.

Message #

Windows Defender Firewall Group Policy settings have changed. The new settings have been applied

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2008,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T06:21:48.9092946+00:00",
    "event_record_id": 391,
    "correlation": {},
    "execution": {
      "process_id": 1884,
      "thread_id": 4940
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "Windows Defender Firewall Group Policy settings have changed. The new settings have been applied"
}

Event ID 2009: The Windows Defender Firewall service failed to load Group Policy.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Collection Priority: Recommended (NSA)
Opcode: Info

Description

The Windows Defender Firewall service failed to load Group Policy.

Message #

The Windows Defender Firewall service failed to load Group Policy.
Error: %1

Fields #

Name	Description
`ErrorCode` Int32

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

The Windows Defender Firewall Service Failed To Load Group Policy source low: Detects activity when The Windows Defender Firewall service failed to load Group Policy

Event ID 2010: Network profile changed on an interface.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Network profile changed on an interface.

Message #

Network profile changed on an interface.

Adapter GUID: %1
Adapter Name: %2
Old Profile: %3
New Profile: %4

Fields #

Name	Description
`InterfaceGuid` GUID
`InterfaceName` UnicodeString
`OldProfile` UInt32
`NewProfile` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:57.9546719+00:00",
    "event_record_id": 397,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
    "InterfaceName": "ethernet_32769",
    "OldProfile": "2147483649",
    "NewProfile": "4"
  },
  "message": "Network profile changed on an interface.\r\n\r\nAdapter GUID:\t{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}\r\nAdapter Name:\tethernet_32769\r\nOld Profile:\tNone\r\nNew Profile:\tPublic"
}

Event ID 2011: Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Message #

Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason: %1
Application Path: %2
IP Version: %3
Protocol: %4
Port: %5
Process Id: %6
User: %7

Fields #

Name	Description
`ReasonCode` UInt32
`ApplicationPath` UnicodeString
`IPVersion` UInt8
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Port` UInt16
`ProcessId` UInt32
`ModifyingUser` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2011,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:38:44.2381729+00:00",
    "event_record_id": 443,
    "correlation": {},
    "execution": {
      "process_id": 1704,
      "thread_id": 2864
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ReasonCode": "64",
    "ApplicationPath": "C:\\windows\\system32\\snmp.exe",
    "IPVersion": "0",
    "Protocol": "17",
    "Port": "161",
    "ProcessId": "7724",
    "ModifyingUser": "S-1-5-18"
  },
  "message": "Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.\r\n\r\nReason:\t\tInbound notifications are not enabled\r\nApplication Path:\tC:\\windows\\system32\\snmp.exe\r\nIP Version:\tIPv4\r\nProtocol:\tUDP\r\nPort:\t\t161\r\nProcess Id:\t7724\r\nUser:\t\tS-1-5-18"
}

Event ID 2012: A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Message #

A connection security rule was added to IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2012,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:18:50.849002+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 2024,
      "thread_id": 5644
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "RuleName": "EvtGen-IPsec-Test",
    "Origin": 1,
    "Active": 1,
    "Protocol": 256,
    "Endpoint1Ports": "",
    "Endpoint2Ports": "",
    "LocalTunnelEndpointV4": 0,
    "LocalTunnelEndpointV6": "00000000000000000000000000000000",
    "RemoteTunnelEndpointV4": 0,
    "RemoteTunnelEndpointV6": "00000000000000000000000000000000",
    "Phase1AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "Phase2AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
    "Phase2CryptoSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "Action": 2,
    "Profiles": 2147483647,
    "Endpoint1": "*",
    "Endpoint2": "*",
    "MMParentRuleId": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "IsDTM": 0,
    "ApplyAuthZ": 0,
    "BypassTunnelIfEncrypted": 0,
    "NoIPSecOnOutbound": 0,
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2013: A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Message #

A connection security rule was modified in IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2013,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-30T02:02:49.6830225+00:00",
    "event_record_id": 6,
    "correlation": {
      "ActivityID": "{02B66287-2E1D-4FB8-9245-1CBFC66AA4A6}"
    },
    "execution": {
      "process_id": 2012,
      "thread_id": 4032
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{e88185b9-b2ad-4073-83c9-6e4038b99ccc}",
    "RuleName": "WFPCAT-ConnSec-Transport",
    "Origin": "1",
    "Active": "1",
    "Protocol": "256",
    "Endpoint1Ports": "",
    "Endpoint2Ports": "",
    "LocalTunnelEndpointV4": "0",
    "LocalTunnelEndpointV6": "00000000000000000000000000000000",
    "RemoteTunnelEndpointV4": "0",
    "RemoteTunnelEndpointV6": "00000000000000000000000000000000",
    "Phase1AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "Phase2AuthSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
    "Phase2CryptoSetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "Action": "1",
    "Profiles": "2147483647",
    "Endpoint1": "*",
    "Endpoint2": "*",
    "MMParentRuleId": "",
    "EmbeddedContext": "",
    "Flags": "1",
    "IsDTM": "0",
    "ApplyAuthZ": "0",
    "BypassTunnelIfEncrypted": "0",
    "NoIPSecOnOutbound": "0",
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": "543",
    "RuleStatus": "65536"
  },
  "message": "A connection security rule was modified in IPsec settings.\r\n\r\n\tRule ID:\t{e88185b9-b2ad-4073-83c9-6e4038b99ccc}\r\n\tRule Name:\tWFPCAT-ConnSec-Transport\r\n\tOrigin:\tLocal\r\n\tActive:\tYes\r\n\tProtocol:\tAny\r\n\tEndPoint1Ports:\t\r\n\tEndPoint2Ports:\t\r\n\tLocalTunnelEndpointV4:\t0.0.0.0\r\n\tLocalTunnelEndpointV6:\t::\r\n\tRemoteTunnelEndpointV4:\t0.0.0.0\r\n\tRemoteTunnelEndpointV6:\t::\r\n\tPhase1AuthSetId:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}\r\n\tPhase2AuthSetId:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}\r\n\tPhase2CryptoSetId:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}\r\n\tAction:\tRequire authentication for inbound connections and request authentication for outbound connections\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tLocalAddresses:\t*\r\n\tRemoteAddresses:\t*\r\n\tEmbeddedContext:\t\r\n\tIsDTM:\tNo\r\n\tApplyAuthZ:\tNo\r\n\tBypassTunnelIfEncrypted:\tNo\r\n\tNoIPSecOnOutbound:\tNo\r\n\tModifyingUser:\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tModifyingApplication:\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
}

Event ID 2014: A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Message #

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2014,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:19:58.877628+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 2024,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{381d54cc-2531-403f-a16e-a1703049dcb4}",
    "RuleName": "EvtGen-IPsec-Test",
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  },
  "message": ""
}

Event ID 2015: A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Message #

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2016: A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Message #

A main mode rule has been added in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2017: A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Message #

A main mode rule has been modified in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2018: A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Message #

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2019: A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Message #

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2020: A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Message #

A phase 1 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2021: A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Message #

A phase 1 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2022: A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Message #

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2023: A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2023,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635709+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
    "SetName": "Service Hardcoded Default Phase1 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Flags": 0,
    "NumSuites": 2,
    "SuitesBinaryLength": 32,
    "CryptoSuites": "0200000003000000020000000000000002000000020000000200000000000000",
    "TimeOutMinutes": 480,
    "TimeOutSessions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2024: A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Message #

A phase 2 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2025: A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Message #

A phase 2 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2026: A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Message #

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2027: A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2027,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635713+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "SetName": "Service Hardcoded Default Phase2 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Pfs": 1,
    "NumSuites": 4,
    "SuitesBinaryLength": 112,
    "CryptoSuites": "020000000000000002000000000000003C000000A086010000000000020000000000000002000000030000003C000000A086010000000000020000000000000002000000020000003C000000A086010000000000010000000200000000000000000000003C000000A086010000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2028: An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Message #

An authentication set has been added to IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsec Phase`
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`IPsecPhase` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2028,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-30T02:02:49.7430803+00:00",
    "event_record_id": 7,
    "correlation": {
      "ActivityID": "{8CE815EE-8307-48B6-A5B8-E99AFA73F7C9}"
    },
    "execution": {
      "process_id": 2012,
      "thread_id": 9912
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{013759fa-9005-463f-958c-4cb70474217f}",
    "SetName": "WFPCAT-P1Auth",
    "IPsec Phase": "1",
    "EmbeddedContext": "",
    "Origin": "1",
    "AuthSetFlags": "0",
    "NumSuites": "1",
    "SuitesBinaryLength": "62",
    "AuthenticationSuites": "03000000000000000C0000006600690072006500770061006C006C005F007700660070005F0063006100740061006C006F0067005F00700073006B000000",
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": "543",
    "RuleStatus": "65536"
  },
  "message": "An authentication set has been added to IPsec settings.\r\n\r\n\tSet ID:\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tSet Name:\tWFPCAT-P1Auth\r\n\tIPsec Phase:\tPhase 1\r\n\tOrigin:\tLocal\r\n\tNumSuites:\t1\r\n\tModifyingUser:\tS-1-5-21-1006758700-2167138679-1475694448-1105\r\n\tModifyingApplication:\tC:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
}

Event ID 2029: An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Message #

An authentication set has been modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Event ID 2030: An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Level: Informational
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Message #

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`IPsec Phase`
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`IPsecPhase` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2030,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-30T02:02:52.9126294+00:00",
    "event_record_id": 11,
    "correlation": {
      "ActivityID": "{2E4C0C33-4AE5-447C-BCE6-6C603DCC87C3}"
    },
    "execution": {
      "process_id": 2012,
      "thread_id": 13556
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{013759fa-9005-463f-958c-4cb70474217f}",
    "RuleName": "WFPCAT-P1Auth",
    "IPsec Phase": "1",
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"
  },
  "message": "An authentication set has been deleted from IPsec settings.\r\n\r\nDeleted Rule:\r\n\tRule ID:\t{013759fa-9005-463f-958c-4cb70474217f}\r\n\tRule Name:\tWFPCAT-P1Auth\r\n\tModifying User:\tPhase 1\r\n\tModifying Application:\tS-1-5-21-1006758700-2167138679-1475694448-1105"
}

Event ID 2031: An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Message #

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2031,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T21:48:08.635699+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 3152
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "SetName": "Service Hardcoded Default Phase1 AuthSet",
    "IPsec Phase": 1,
    "EmbeddedContext": "",
    "Origin": 5,
    "AuthSetFlags": 0,
    "NumSuites": 1,
    "SuitesBinaryLength": 12,
    "AuthenticationSuites": "020000000000000000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536
  },
  "message": ""
}

Event ID 2032: Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Message #

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser: %1
	ModifyingApplication: %2

Fields #

Name	Description
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2032,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T23:28:37.812945+00:00",
    "event_record_id": 628,
    "correlation": {},
    "execution": {
      "process_id": 2016,
      "thread_id": 12488
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ModifyingUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ModifyingApplication": "C:\\Windows\\System32\\netsh.exe"
  },
  "message": ""
}

Event ID 2033: All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Collection Priority: Recommended (NSA)
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Message #

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description	Rules
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString		3 detection rules

Event ID 2034: All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Message #

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2035: All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Message #

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2036: All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Message #

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2037: All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Message #

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2038: Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer.

Message #

Windows Defender Firewall did not apply the following rule because the rule was not properly configured on this computer:

Rule Information:
	ID: %1
	Name: %2

Error Information:
	Reason: %3

Fields #

Name	Description
`ID` UnicodeString
`Name` UnicodeString
`Reason` UnicodeString
`RuleStatus` UInt32

Event ID 2039: Http Proxies Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Http Proxies Changed.

Message #

Http Proxies Changed

Reason: %1

All Proxies: %2

All Domain Proxies: %3

Group Policy Configured Domain Proxies: %4

Group Policy Configured Local Proxies: %5

All DA Nat64 Domain Proxies: %6

Group Policy is authoritative: %7

Fields #

Name	Description
`ChangeType` UInt32
`All Proxies`
`All Domain Proxies`
`GP Configured Domain Proxies`
`GP Configured Local Proxies`
`All DA Nat64 Proxies`
`GP Is Authoritative`
`AllProxies`
`AllDomainProxies`
`GPConfiguredDomainProxies`
`GPConfiguredLocalProxies`
`AllDANat64Proxies`
`GPIsAuthoritative`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2039,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2026-06-13T14:56:41.1117621+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 2716
    },
    "channel": "Network Isolation Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": "0",
    "All Proxies": "*",
    "All Domain Proxies": "*",
    "GP Configured Domain Proxies": "*",
    "GP Configured Local Proxies": "*",
    "All DA Nat64 Proxies": "*",
    "GP Is Authoritative": "0"
  },
  "message": "Http Proxies Changed\r\n\r\nReason: \tGroup Policy Change\r\n\r\nAll Proxies:\t*\r\n\r\nAll Domain Proxies:\t*\r\n\r\nGroup Policy Configured Domain Proxies:\t*\r\n\r\nGroup Policy Configured Local Proxies:\t*\r\n\r\nAll DA Nat64 Domain Proxies:\t*\r\n\r\nGroup Policy is authoritative:\tNo\r\n"
}

Event ID 2040: Corp Subnets Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Corp Subnets Changed.

Message #

Corp Subnets Changed

Reason: %1

All Domain Subnets: %2

Group Policy Configured Domain Subnets: %3

All DA Nat64 Domain Subnets: %4

Group Policy is authoritative: %5

Fields #

Name	Description
`ChangeType` UInt32
`AllDomainProxies` UnicodeString
`GPConfiguredDomainSubnets` UnicodeString
`AllDANat64DomainSubnets` UnicodeString
`GPIsAuthoritative` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2040,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2026-03-13T20:05:11.615994+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Network Isolation Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": 0,
    "All Domain Proxies": "*",
    "GP Configured Domain Subnets": "*",
    "All DA Nat64 Domain Subnets": "*",
    "GP Is Authoritative": 0
  },
  "message": ""
}

Event ID 2041: Capability Changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Network Isolation Operational
Level: Informational
Opcode: Info

Description

Capability Changed.

Message #

Capability Changed

Reason: %1

Capability: %2
Profile: %3
IP Range Definition: %4

Fields #

Name	Description
`ChangeType` UInt32
`Capability` UInt32
`Profile` UInt32
`IP Range Definition`
`IPRangeDefinition`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2041,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423504,
    "time_created": "2026-06-13T14:56:41.1120094+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 1812,
      "thread_id": 2716
    },
    "channel": "Network Isolation Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ChangeType": "2",
    "Capability": "0",
    "Profile": "4",
    "IP Range Definition": "0.0.0.0-255.255.255.255,::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
  },
  "message": "Capability Changed\r\n\r\nReason: \tHttp Proxies\r\n\r\nCapability:\tInternet\r\nProfile:\tPublic\r\nIP Range Definition:\t0.0.0.0-255.255.255.255,::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
}

Event ID 2042: Config Read Failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: System
Opcode: Info

Description

Config Read Failed.

Message #

Config Read Failed

Config: %1
Error: %2

Fields #

Name	Description
`SettingType` UInt32
`ErrorCode` Int32

Event ID 2043: The Windows Firewall Service failed to initialize a component.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

The Windows Firewall Service failed to initialize a component. Some policies may not be fully enforced.

Message #

The Windows Firewall Service failed to initialize a component. Some policies may not be fully enforced. 

Component Name: %1
Error Code: %2

Fields #

Name	Description
`ComponentName` UnicodeString
`ErrorCode` UInt32

Event ID 2044: Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Added Dynamic Keyword Address.

Message #

Added Dynamic Keyword Address.

Error Code: %1
Id: %2
Keyword: %3
Addresses	%4
AutoResolve: %5

Fields #

Name	Description
`ErrorCode` UInt32
`Id` UInt32
`Keyword` UnicodeString
`Addresses` UnicodeString
`AutoResolve` UInt16

Event ID 2045: Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Dynamic Keyword Address.

Message #

Deleted Dynamic Keyword Address.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32
`Id` UInt32

Event ID 2046: Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Dynamic Keyword Address.

Message #

Updated Dynamic Keyword Address.

Error Code: %1
Id: %2
Append: %3
Previous Addresses: %4
Addresses to update: %5
Updated Addresses	%6

Fields #

Name	Description
`ErrorCode` UInt32
`Id` UInt32
`Append` UInt16
`PreviousAddresses` UnicodeString
`AddressesToUpdate` UnicodeString
`UpdatedAddresses` UnicodeString

Event ID 2047: Tenant Restrictions Policy Update.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Tenant Restrictions Policy Update.

Message #

Tenant Restrictions Policy Update.

Error code: %1
Old Addresses: %2
New Addresses: %3

Fields #

Name	Description
`ErrorCode` UInt32
`PreviousAddresses` UnicodeString
`UpdatedAddresses` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2047,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T06:21:48.9171170+00:00",
    "event_record_id": 392,
    "correlation": {},
    "execution": {
      "process_id": 1884,
      "thread_id": 4940
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ErrorCode": "0",
    "PreviousAddresses": "",
    "UpdatedAddresses": ""
  },
  "message": "Tenant Restrictions Policy Update.\r\n\r\nError code:\t0\r\nOld Addresses:\t\r\nNew Addresses:\t"
}

Event ID 2048: Added Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Added Dynamic Keyword Address.

Message #

Added Dynamic Keyword Address.

Error Code: %1
Id: %2
Keyword: %3
Addresses	%4
AutoResolve: %5

Fields #

Name	Description
`ErrorCode` UInt32
`Id` GUID
`Keyword` UnicodeString
`Addresses` UnicodeString
`AutoResolve` UInt16

Event ID 2049: Deleted Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Dynamic Keyword Address.

Message #

Deleted Dynamic Keyword Address.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32
`Id` GUID

Event ID 2050: Updated Dynamic Keyword Address.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Dynamic Keyword Address.

Message #

Updated Dynamic Keyword Address.

Error Code: %1
Id: %2
Append: %3
Previous Addresses: %4
Addresses to update: %5
Updated Addresses	%6

Fields #

Name	Description
`ErrorCode` UInt32
`Id` GUID
`Append` UInt16
`PreviousAddresses` UnicodeString
`AddressesToUpdate` UnicodeString
`UpdatedAddresses` UnicodeString

Event ID 2051: Tenant Restrictions Policy Update.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Tenant Restrictions Policy Update.

Message #

Tenant Restrictions Policy Update

Error code: %1
Policy Change: %2

Fields #

Name	Description
`ErrorCode` UInt32
`PolicyChange` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2051,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.342732+00:00",
    "event_record_id": 717,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ErrorCode": 0,
    "PolicyChange": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2051: Tenant Restrictions Policy Update

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

Tenant Restrictions Policy Update.

Fields #

Name	Description
`ErrorCode` UInt32
`PolicyChange` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2051,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T19:32:07.0409171+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "PolicyChange": "0",
    "ErrorCode": "0"
  }
}

Event ID 2052: A rule has been deleted in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Message #

A rule has been deleted in the Windows Defender Firewall exception list.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2052,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:42:34.475801+00:00",
    "event_record_id": 1314,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 16976
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{7F9A364D-0AAE-43ED-A6D1-8D400D83CF18}",
    "RuleName": "WindowsAppRuntime.1.2",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md

Event ID 2052: A rule has been deleted in the Windows Defender Firewall exception list

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

A rule has been deleted in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the deleted firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`ModifyingUser` SID	SID of the account that deleted the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that deleted the firewall rule
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2052,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T16:23:35.0178969+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "RuleName": "Xbox",
    "ErrorCode": "0",
    "RuleId": "Microsoft.GamingApp_8wekyb3d8bbwe-Out-Allow-AllCapabilities",
    "ModifyingApplication": "C:\\WINDOWS\\System32\\svchost.exe",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052"
  }
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2052-firewall-windows-11.md

Event ID 2053: A connection security rule was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Message #

A connection security rule was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2053: A connection security rule was deleted from IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2054: A main mode rule has been deleted in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Message #

A main mode rule has been deleted in the IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2054: A main mode rule has been deleted in the IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been deleted in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2055: A phase 1 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Message #

A phase 1 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2055: A phase 1 crypto set was deleted from IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2056: A phase 2 crypto set was deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Message #

A phase 2 crypto set was deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %5

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2056: A phase 2 crypto set was deleted from IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2057: All connection security rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Message #

All connection security rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2057: All connection security rules have been deleted from the IPsec configuration on this computer

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All connection security rules have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2058: All main mode rules have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Message #

All main mode rules have been deleted from the IPsec configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2058: All main mode rules have been deleted from the IPsec configuration on this computer

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All main mode rules have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2059: All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Message #

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

	Store Type: %1
	ModifyingUser: %2
	ModifyingApplication: %3
	Error Code: %4

Fields #

Name	Description
`StoreType`
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2059,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.342184+00:00",
    "event_record_id": 716,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Store Type": 12,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2059: All rules have been deleted from the Windows Defender Firewall configuration on this computer

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

All rules have been deleted from the Windows Defender Firewall configuration on this computer.

Fields #

Name	Description
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2059,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T19:32:07.0408785+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "ErrorCode": "0",
    "Store Type": "12",
    "ModifyingApplication": "C:\\WINDOWS\\System32\\svchost.exe",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052"
  }
}

Event ID 2060: Windows Defender Firewall has been reset to its default configuration.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Message #

Windows Defender Firewall has been reset to its default configuration.

	ModifyingUser: %1
	ModifyingApplication: %2
	Error Code: %3

Fields #

Name	Description
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2060: Windows Defender Firewall has been reset to its default configuration

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Windows Defender Firewall has been reset to its default configuration.

Fields #

Name	Description
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2061: A connection security rule was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Message #

A connection security rule was added to IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27
	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2061: A connection security rule was added to IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was added to IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2062: A connection security rule was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Message #

A connection security rule was modified in IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27
	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2062: A connection security rule was modified in IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was modified in IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2063: A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Message #

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %4
	Protocol: %5
	EndPoint1Ports: %6
	EndPoint2Ports: %7
	LocalTunnelEndpointV4: %8
	LocalTunnelEndpointV6: %9
	RemoteTunnelEndpointV4: %10
	RemoteTunnelEndpointV6: %11
	Phase1AuthSetId: %12
	Phase2AuthSetId: %13
	Phase2CryptoSetId: %14
	Action: %15
	Profiles: %16
	LocalAddresses: %17
	RemoteAddresses: %18
	EmbeddedContext: %20
	IsDTM: %22
	ApplyAuthZ: %23
	BypassTunnelIfEncrypted: %24
	NoIPSecOnOutbound: %25
	ModifyingUser: %26
	ModifyingApplication: %27n	Error Code: %30

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2063: A connection security rule was added to IPsec settings when Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A connection security rule was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`Active` UInt16
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint1Ports` UnicodeString
`Endpoint2Ports` UnicodeString
`LocalTunnelEndpointV4` UInt32
`LocalTunnelEndpointV6` Binary
`RemoteTunnelEndpointV4` UInt32
`RemoteTunnelEndpointV6` Binary
`Phase1AuthSetId` UnicodeString
`Phase2AuthSetId` UnicodeString
`Phase2CryptoSetId` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`MMParentRuleId` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`IsDTM` UInt16
`ApplyAuthZ` UInt16
`BypassTunnelIfEncrypted` UInt16
`NoIPSecOnOutbound` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2064: An authentication set has been added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Message #

An authentication set has been added to IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2064: An authentication set has been added to IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2065: An authentication set has been modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Message #

An authentication set has been modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2065: An authentication set has been modified in IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2066: An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Message #

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	IPsec Phase: %3
	Origin: %5
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsecPhase` UInt32
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2066,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425413+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
    "SetName": "Service Hardcoded Default Phase1 AuthSet",
    "IPsec Phase": 1,
    "EmbeddedContext": "",
    "Origin": 5,
    "AuthSetFlags": 0,
    "NumSuites": 1,
    "SuitesBinaryLength": 12,
    "AuthenticationSuites": "020000000000000000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2066: An authentication set has been added to IPsec settings when Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

An authentication set has been added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`IPsec Phase`
`EmbeddedContext` UnicodeString
`Origin` UInt32
`AuthSetFlags` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`AuthenticationSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32
`IPsecPhase` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2066,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-04-17T20:04:50.7298994+00:00",
    "event_record_id": 74,
    "correlation": {},
    "execution": {
      "process_id": 1948,
      "thread_id": 3436
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
    "SetName": "Service Hardcoded Default Phase2 AuthSet",
    "IPsec Phase": "2",
    "EmbeddedContext": "",
    "Origin": "5",
    "AuthSetFlags": "0",
    "NumSuites": "0",
    "SuitesBinaryLength": "0",
    "AuthenticationSuites": "",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": "512",
    "RuleStatus": "65536",
    "ErrorCode": "0"
  },
  "message": "An authentication set has been added to IPsec settings when Windows Defender Firewall started.\r\n\r\n\tSet ID:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}\r\n\tSet Name:\tService Hardcoded Default Phase2 AuthSet\r\n\tIPsec Phase:\tPhase 2\r\n\tOrigin:\tHardcoded\r\n\tNumSuites:\t0\r\n\tModifyingUser:\tS-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052\r\n\tModifyingApplication:\tC:\\Windows\\System32\\svchost.exe\r\n\tError Code:\t0"
}

Event ID 2067: An authentication set has been deleted from IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Message #

An authentication set has been deleted from IPsec settings.

Deleted Rule:
	Rule ID: %1
	Rule Name: %2
	Modifying User: %3
	Modifying Application: %4
	Error Code: %6

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`IPsecPhase` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2067: An authentication set has been deleted from IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

An authentication set has been deleted from IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`IPsecPhase` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2068: A main mode rule has been added in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Message #

A main mode rule has been added in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2068: A main mode rule has been added in the IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been added in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2069: A main mode rule has been modified in the IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Message #

A main mode rule has been modified in the IPsec settings.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2069: A main mode rule has been modified in the IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule has been modified in the IPsec settings.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2070: A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Message #

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

	Rule ID: %1
	Rule Name: %2
	Profiles: %3
	Endpoint1: %4
	Endpoint2: %5
	Phase1AuthSetId: %6
	Phase1CryptoSetId: %7
	Flags: %8
	Active: %9
	EmbeddedContext: %10
	Origin: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2070: A main mode rule was added to the IPsec settings when Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A main mode rule was added to the IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`Endpoint1` UnicodeString
`Endpoint2` UnicodeString
`Phase1AuthSetId` UnicodeString
`Phase1CryptoSetId` UnicodeString
`Flags` UInt16
`Active` UInt16
`EmbeddedContext` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2071: A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2071,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2026-03-11T19:32:55.589894+00:00",
    "event_record_id": 1605,
    "correlation": {
      "ActivityID": "33984C15-9559-46A4-820A-46ACEBD01B04"
    },
    "execution": {
      "process_id": 3120,
      "thread_id": 2392
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{DC92C56C-4138-4D46-B25D-97D3C349B695}",
    "RuleName": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}",
    "Origin": 1,
    "ApplicationPath": "",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 256,
    "LocalPorts": "",
    "RemotePorts": "",
    "Action": 3,
    "Profiles": 3,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@{Microsoft.DesktopAppInstaller_1.28.220.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.DesktopAppInstaller/Resources/appDisplayName}",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 544,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	1 rule	sigma

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md

Event ID 2071: A rule has been added to the Windows Defender Firewall exception list

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been added to the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID uniquely identifying the new firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that added the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that added the firewall rule
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	1 rule	sigma

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2071-firewall-windows-11.md

Event ID 2072: A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose
Level: Informational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2072,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:05:11.416192+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "WFDPRINT-SPOOL-Out-Active",
    "RuleName": "Wi-Fi Direct Spooler Use (Out)",
    "Origin": 1,
    "ApplicationPath": "C:\\Windows\\system32\\spoolsv.exe",
    "ServiceName": "Spooler",
    "Direction": 2,
    "Protocol": 256,
    "LocalPorts": "",
    "RemotePorts": "",
    "Action": 3,
    "Profiles": 4,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "@FirewallAPI.dll,-36851",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2072: A rule has been listed when the Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been listed when the Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

Event ID 2073: A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	Error Code: %27

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2073,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2026-03-11T06:32:02.846978+00:00",
    "event_record_id": 1566,
    "correlation": {
      "ActivityID": "BD42C297-A749-4662-942F-72276C54015A"
    },
    "execution": {
      "process_id": 3120,
      "thread_id": 3720
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "WSLCore-SharedAccess-Allow-Rule",
    "RuleName": "WSLCore SharedAccess Allow Rule",
    "Origin": 3,
    "ApplicationPath": "C:\\Windows\\System32\\svchost.exe",
    "ServiceName": "SharedAccess",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "53",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "SchemaVersion": 544,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "ErrorCode": 0
  },
  "message": ""
}

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md

Event ID 2073: A rule has been modified in the Windows Defender Firewall exception list

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A rule has been modified in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString	GUID of the modified firewall rule
`RuleName` UnicodeString	Name of the firewall rule as it appears in Windows Firewall
`Origin` UInt32
`ApplicationPath` UnicodeString	Path to the application this rule applies to, if application-specific
`ServiceName` UnicodeString	Name of the service this rule applies to, if service-specific
`Direction` UInt32	Direction of the rule: 1 for inbound, 2 for outbound Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32	Firewall action: 3 for allow, 2 for block
`Profiles` UInt32	Firewall profiles (Private/Domain/Public) this rule applies to Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16	Whether the rule is enabled: 0 for disabled, 1 for enabled
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16	Security options: 0 for none, 1 for require authentication
`ModifyingUser` SID	SID of the account that modified the firewall rule
`ModifyingApplication` UnicodeString	Full image path of the process that modified the firewall rule
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`ErrorCode` UInt32

References #

Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-2073-firewall-windows-11.md

Event ID 2074: All authentication sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Message #

All authentication sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4
	Error Code: %5

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2074: All authentication sets have been deleted from the IPsec configuration on this computer

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All authentication sets have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2075: All crypto sets have been deleted from the IPsec configuration on this computer.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Message #

All crypto sets have been deleted from the IPsec configuration on this computer.

	IPsec Phase: %1
	Store Type: %2
	ModifyingUser: %3
	ModifyingApplication: %4
	Error Code: %5

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2075: All crypto sets have been deleted from the IPsec configuration on this computer

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

All crypto sets have been deleted from the IPsec configuration on this computer.

Fields #

Name	Description
`IPsecPhase` UInt32
`StoreType` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2076: A phase 1 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Message #

A phase 1 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2076: A phase 1 crypto set was added to IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2077: A phase 1 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Message #

A phase 1 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2077: A phase 1 crypto set was modified in IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 1 crypto set was modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2078: A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Flags: %6
	NumSuites: %7
	TimeOutMinutes: %10
	TimeOutSessions: %11
	ModifyingUser: %12
	ModifyingApplication: %13
	Error Code: %16

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2078,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425493+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
    "SetName": "Service Hardcoded Default Phase1 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Flags": 0,
    "NumSuites": 2,
    "SuitesBinaryLength": 32,
    "CryptoSuites": "0200000003000000020000000000000002000000020000000200000000000000",
    "TimeOutMinutes": 480,
    "TimeOutSessions": 0,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2078: A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Flags` UInt16
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`TimeOutMinutes` UInt32
`TimeOutSessions` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2078,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-04-17T20:04:50.7299853+00:00",
    "event_record_id": 76,
    "correlation": {},
    "execution": {
      "process_id": 1948,
      "thread_id": 3436
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
    "SetName": "Service Hardcoded Default Phase1 CryptoSet",
    "EmbeddedContext": "",
    "Origin": "5",
    "CryptoSetFlags": "0",
    "Flags": "0",
    "NumSuites": "2",
    "SuitesBinaryLength": "32",
    "CryptoSuites": "0200000003000000020000000000000002000000020000000200000000000000",
    "TimeOutMinutes": "480",
    "TimeOutSessions": "0",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": "512",
    "RuleStatus": "65536",
    "ErrorCode": "0"
  },
  "message": "A phase 1 crypto set was added to IPsec settings when Windows Defender Firewall started.\r\n\r\n\tSet ID:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}\r\n\tSet Name:\tService Hardcoded Default Phase1 CryptoSet\r\n\tOrigin:\tHardcoded\r\n\tFlags:\tNone\r\n\tNumSuites:\t2\r\n\tTimeOutMinutes:\t480\r\n\tTimeOutSessions:\t0\r\n\tModifyingUser:\tS-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052\r\n\tModifyingApplication:\tC:\\Windows\\System32\\svchost.exe\r\n\tError Code:\t0"
}

Event ID 2079: A phase 2 crypto set was added to IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Message #

A phase 2 crypto set was added to IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2079: A phase 2 crypto set was added to IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2080: A phase 2 crypto set was modified in IPsec settings.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurity
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Message #

A phase 2 crypto set was modified in IPsec settings.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2080: A phase 2 crypto set was modified in IPsec settings

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A phase 2 crypto set was modified in IPsec settings.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Event ID 2081: A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: ConnectionSecurityVerbose
Level: Informational
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Message #

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

	Set ID: %1
	Set Name: %2
	Origin: %4
	Pfs: %6
	NumSuites: %7
	ModifyingUser: %10
	ModifyingApplication: %11
	Error Code: %14

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2081,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T20:05:11.425532+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 1288,
      "thread_id": 3508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
    "SetName": "Service Hardcoded Default Phase2 CryptoSet",
    "EmbeddedContext": "",
    "Origin": 5,
    "CryptoSetFlags": 0,
    "Pfs": 1,
    "NumSuites": 4,
    "SuitesBinaryLength": 112,
    "CryptoSuites": "020000000000000002000000000000003C000000A086010000000000020000000000000002000000030000003C000000A086010000000000020000000000000002000000020000003C000000A086010000000000010000000200000000000000000000003C000000A086010000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 512,
    "RuleStatus": 65536,
    "ErrorCode": 0
  },
  "message": ""
}

Event ID 2081: A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.

Fields #

Name	Description
`SetId` UnicodeString
`SetName` UnicodeString
`EmbeddedContext` UnicodeString
`Origin` UInt32
`CryptoSetFlags` UInt32
`Pfs` UInt32
`NumSuites` UInt32
`SuitesBinaryLength` UInt32
`CryptoSuites` Binary
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "{D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85}",
    "event_source_name": "",
    "event_id": 2081,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-04-17T20:04:50.7300637+00:00",
    "event_record_id": 80,
    "correlation": {},
    "execution": {
      "process_id": 1948,
      "thread_id": 3436
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SetId": "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE5}",
    "SetName": "",
    "EmbeddedContext": "",
    "Origin": "4",
    "CryptoSetFlags": "0",
    "Pfs": "1",
    "NumSuites": "4",
    "SuitesBinaryLength": "112",
    "CryptoSuites": "020000000000000002000000030000003C000000A086010000000000020000000000000002000000020000003C000000A086010000000000020000000000000002000000000000003C000000A086010000000000010000000200000000000000000000003C000000A086010000000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": "512",
    "RuleStatus": "65536",
    "ErrorCode": "0"
  },
  "message": "A phase 2 crypto set was added to IPsec settings when Windows Defender Firewall started.\r\n\r\n\tSet ID:\t{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE5}\r\n\tSet Name:\t\r\n\tOrigin:\tAutoGenerated\r\n\tPfs:\tNone\r\n\tNumSuites:\t4\r\n\tModifyingUser:\tS-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052\r\n\tModifyingApplication:\tC:\\Windows\\System32\\svchost.exe\r\n\tError Code:\t0"
}

Event ID 2082: A Windows Defender Firewall setting in the Profiles profile has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting in the Profiles profile has changed.

Message #

A Windows Defender Firewall setting in the %1 profile has changed.
New Setting:
	Type: %2
	Value: %5
	Modifying User: %7
	Modifying Application: %8
	Error Code: %9

Fields #

Name	Description
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32
`SettingValueSize` UInt32
`SettingValue` Binary
`SettingValueString` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2082,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:14:24.218884+00:00",
    "event_record_id": 1270,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 8508
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Profiles": 1,
    "SettingType": 3,
    "SettingValueSize": 4,
    "SettingValue": "00000000",
    "SettingValueString": "No",
    "Origin": 1,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Program Files (x86)\\Avira\\Antivirus\\ccuac.exe",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2082: A Windows Defender Firewall setting in the Profiles profile has changed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Windows Defender Firewall setting in the profile has changed.

Fields #

Name	Description
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`SettingType` UInt32
`SettingValueSize` UInt32
`SettingValue` Binary
`SettingValueString` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Event ID 2083: A Windows Defender Firewall setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Message #

A Windows Defender Firewall setting has changed.

New Setting:
	Type: %1
	Value: %4
	Modifying User: %6
	Modifying Application: %7
	Error Code: %8

Fields #

Name	Description
`SettingType` UInt32
`SettingValueSize` UInt32
`SettingValue` Binary
`SettingValueDisplay` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2083,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:52:38.271525+00:00",
    "event_record_id": 650,
    "correlation": {},
    "execution": {
      "process_id": 2884,
      "thread_id": 4496
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "SettingType": 2,
    "SettingValueSize": 4,
    "SettingValue": "06000000",
    "SettingValueDisplay": "(null),(null)",
    "Origin": 1,
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "ModifyingApplication": "",
    "ErrorCode": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2083: A Windows Defender Firewall setting has changed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

A Windows Defender Firewall setting has changed.

Fields #

Name	Description
`SettingType` UInt32
`SettingValueSize` UInt32
`SettingValue` Binary
`SettingValueDisplay` UnicodeString
`Origin` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2083,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T19:32:24.7520454+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "SettingValueDisplay": "(null),(null)",
    "Origin": "1",
    "SettingType": "2",
    "SettingValueSize": "4",
    "ModifyingApplication": "",
    "ErrorCode": "0",
    "SettingValue": "05000000",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052"
  }
}

Event ID 2084: Added a Duplicate Rule.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational
Opcode: Info

Description

Added a Duplicate Rule.

Message #

Added a Duplicate Rule

Rule Name: %1

Fields #

Name	Description
`RuleName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2084,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:51.051278+00:00",
    "event_record_id": 715,
    "correlation": {},
    "execution": {
      "process_id": 3344,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleName": "@{Microsoft.WindowsTerminal_1.18.2822.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsTerminal/Resources/AppStoreName}"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2084: Added a Duplicate Rule

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4
Opcode: Info

Description

Added a Duplicate Rule.

Fields #

Name	Description
`RuleName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2084,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T19:32:06.9169883+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "RuleName": "Microsoft Teams"
  }
}

Event ID 2085: Created Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Created Hyper-V Port.

Message #

Created Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4
VM Creator ID: %5
Interface GUID: %6
Partition GUID: %7
Constrained: %8

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString
`VMCreatorId` GUID
`InterfaceGUID` GUID
`PartitionGUID` GUID
`Constrained` UInt16

Event ID 2085: Created Hyper-V Port

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Created Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString
`VMCreatorId` GUID
`InterfaceGUID` GUID
`PartitionGUID` GUID
`Constrained` UInt16

Event ID 2086: Updated Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Updated Hyper-V Port.

Message #

Updated Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4
VM Creator ID: %5
Interface GUID: %6
Partition GUID: %7
Constrained: %8

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString
`VMCreatorId` GUID
`InterfaceGUID` GUID
`PartitionGUID` GUID
`Constrained` UInt16

Event ID 2086: Updated Hyper-V Port

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Updated Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString
`VMCreatorId` GUID
`InterfaceGUID` GUID
`PartitionGUID` GUID
`Constrained` UInt16

Event ID 2087: Deleted Hyper-V Port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

Deleted Hyper-V Port.

Message #

Deleted Hyper-V Port.

Error code: %1
Activity GUID: %2
Switch Name: %3
Port Name: %4

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString

Event ID 2087: Deleted Hyper-V Port

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

Deleted Hyper-V Port.

Fields #

Name	Description
`ErrorCode` UInt32
`ActivityGUID` GUID
`SwitchName` UnicodeString
`PortName` UnicodeString

Event ID 2088: A Hyper-V Firewall VM Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V Firewall VM Setting has changed.

Message #

A Hyper-V Firewall VM Setting has changed.
Error Code: %1
Origin: %2
VM Creator ID: %3
Setting: %4
	Value: %5
	Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`VMCreatorId` GUID
`VMConfig` UInt32
`Value` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2088: A Hyper-V Firewall VM Setting has changed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V Firewall VM Setting has changed.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`VMCreatorId` GUID
`VMConfig` UInt32
`Value` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2089: A Hyper-V Firewall VM Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V Firewall VM Setting has reset.

Message #

A Hyper-V Firewall VM Setting has reset.
Error Code: %1
Origin: %2
VM Creator ID: %3
Setting: %4
Modifying User: %5
	Modifying Application: %6

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`VMCreatorId` GUID
`VMConfig` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2089: A Hyper-V Firewall VM Setting has reset

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V Firewall VM Setting has reset.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`VMCreatorId` GUID
`VMConfig` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2090: A Hyper-V rule has been added.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been added.

Message #

A Hyper-V rule has been added.

Error Code: %1
Origin: %2
Rule ID: %3
Rule Name: %4
VM Creator ID: %5
Priority: %6
Direction: %7
Action: %8
Protocol: %9
Local Ports: %10
Remote Ports: %11
Local Addresses: %12
Remote Addresses: %13
Active: %14
Modifying User: %15
	Modifying Application: %16

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`RuleName` UnicodeString
`VMCreatorId` GUID
`Priority` UInt16
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`Active` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2090: A Hyper-V rule has been added

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been added.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`RuleName` UnicodeString
`VMCreatorId` GUID
`Priority` UInt16
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`Active` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2091: A Hyper-V rule has been updated.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been updated.

Message #

A Hyper-V rule has been updated.

Error Code: %1
Origin: %2
Rule ID: %3
Rule Name: %4
VM Creator ID: %5
Priority: %6
Direction: %7
Action: %8
Protocol: %9
Local Ports: %10
Remote Ports: %11
Local Addresses: %12
Remote Addresses: %13
Active: %14
Modifying User: %15
	Modifying Application: %16

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`RuleName` UnicodeString
`VMCreatorId` GUID
`Priority` UInt16
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`Active` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2091: A Hyper-V rule has been updated

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been updated.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`RuleName` UnicodeString
`VMCreatorId` GUID
`Priority` UInt16
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Action` UInt32
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`Active` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2092: A Hyper-V rule has been deleted.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V rule has been deleted.

Message #

A Hyper-V rule has been deleted.

Error Code: %1
Origin: %2
Rule ID: %3
Modifying User: %4
	Modifying Application: %5

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2092: A Hyper-V rule has been deleted

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V rule has been deleted.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`RuleID` UnicodeString
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2093: A error occured while initializing a Hyper-V port.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Message #

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Error Code: %1
Switch Name: %2
Port Name: %3

Fields #

Name	Description
`ErrorCode` UInt32
`SwitchName` UnicodeString
`PortName` UnicodeString

Event ID 2093: A error occured while initializing a Hyper-V port

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A error occured while initializing a Hyper-V port. Network connectivity may be affected.

Fields #

Name	Description
`ErrorCode` UInt32
`SwitchName` UnicodeString
`PortName` UnicodeString

Event ID 2094: A error occured while processing a Hyper-V rule.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Message #

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Error Code: %1
Rule Operation: %2
Rule ID: %3
Origin	%4

Fields #

Name	Description
`ErrorCode` UInt32
`RuleOperation` UInt32
`RuleID` UnicodeString
`StoreType` UInt32

Event ID 2094: A error occured while processing a Hyper-V rule

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A error occured while processing a Hyper-V rule. It may not be enforced properly.

Fields #

Name	Description
`ErrorCode` UInt32
`RuleOperation` UInt32
`RuleID` UnicodeString
`StoreType` UInt32

Event ID 2095: A Hyper-V VM Creator has been registered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V VM Creator has been registered with the firewall service.

Message #

A Hyper-V VM Creator has been registered with the firewall service.

Error Code: %1
Id: %2
Friendly Name: %3

Fields #

Name	Description
`ErrorCode` UInt32
`VMCreatorId` GUID
`FriendlyName` UnicodeString

Event ID 2095: A Hyper-V VM Creator has been registered with the firewall service

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V VM Creator has been registered with the firewall service.

Fields #

Name	Description
`ErrorCode` UInt32
`VMCreatorId` GUID
`FriendlyName` UnicodeString

Event ID 2096: A Hyper-V VM Creator has been unregistered with the firewall service.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Opcode: Info

Description

A Hyper-V VM Creator has been unregistered with the firewall service.

Message #

A Hyper-V VM Creator has been unregistered with the firewall service.

Error Code: %1
Id: %2

Fields #

Name	Description
`ErrorCode` UInt32
`VMCreatorId` GUID

Event ID 2096: A Hyper-V VM Creator has been unregistered with the firewall service

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Opcode: Info

Description

A Hyper-V VM Creator has been unregistered with the firewall service.

Fields #

Name	Description
`ErrorCode` UInt32
`VMCreatorId` GUID

Event ID 2097: A rule has been added to the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational

Description

A rule has been added to the Windows Defender Firewall exception list.

Message #

A rule has been added to the Windows Defender Firewall exception list.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2097,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:44:15.909142+00:00",
    "event_record_id": 1322,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 22016
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{F12880D2-1AF5-4F03-AB63-8FEB63B400D0}",
    "RuleName": "Microsoft Teams",
    "Origin": 1,
    "ApplicationPath": "C:\\Program Files\\WindowsApps\\MicrosoftTeams_23275.702.2421.2406_x64__8wekyb3d8bbwe\\msteams.exe",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 2147483647,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "{78E1CD88-49E3-476E-B926-580E596AD309}",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-18",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "PolicyAppId": "",
    "ErrorCode": 0
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	1 rule	sigma

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2097: A rule has been added to the Windows Defender Firewall exception list

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4

Description

A rule has been added to the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2097,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T16:23:35.0383123+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "RuleName": "Xbox",
    "Direction": "1",
    "Protocol": "256",
    "SecurityOptions": "0",
    "ErrorCode": "0",
    "Action": "3",
    "LocalOnlyMapped": "0",
    "RuleId": "Microsoft.GamingApp_8wekyb3d8bbwe-In-Allow-ServerCapability",
    "RemoteUserAuthorizationList": null,
    "ApplicationPath": null,
    "LocalPorts": null,
    "Flags": "1",
    "RemotePorts": null,
    "Profiles": "3",
    "ServiceName": null,
    "Active": "1",
    "RemoteMachineAuthorizationList": null,
    "PolicyAppId": null,
    "LocalAddresses": "*",
    "ModifyingApplication": "C:\\WINDOWS\\System32\\svchost.exe",
    "RemoteAddresses": "*",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "LooseSourceMapped": "0",
    "Origin": "1",
    "EdgeTraversal": "0",
    "EmbeddedContext": "Xbox",
    "SchemaVersion": "545",
    "RuleStatus": "65536"
  }
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`3`	1 rule	sigma

Event ID 2098: A rule has been listed when the Windows Defender Firewall started.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: FirewallVerbose

Description

A rule has been listed when the Windows Defender Firewall started.

Message #

A rule has been listed when the Windows Defender Firewall started.

Added Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2098,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T08:40:27.3361550+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
  },
  "event_data": {
    "RuleName": "File and Printer Sharing (LLMNR-UDP-Out)",
    "Direction": "2",
    "Protocol": "17",
    "SecurityOptions": "0",
    "Action": "3",
    "LocalOnlyMapped": "0",
    "RuleId": "{062990F7-7FDE-439C-BF2F-D49F06405B7C}",
    "RemoteUserAuthorizationList": null,
    "ApplicationPath": "C:\\Windows\\system32\\svchost.exe",
    "LocalPorts": "*",
    "Flags": "1",
    "RemotePorts": "5355",
    "Profiles": "2",
    "ServiceName": "dnscache",
    "Active": "1",
    "RemoteMachineAuthorizationList": null,
    "PolicyAppId": null,
    "LocalAddresses": "*",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "RemoteAddresses": "LocalSubnet",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "LooseSourceMapped": "0",
    "Origin": "1",
    "EdgeTraversal": "0",
    "EmbeddedContext": "@FirewallAPI.dll,-28502",
    "SchemaVersion": "543",
    "RuleStatus": "65536"
  }
}

Event ID 2098: A rule has been listed when the Windows Defender Firewall started

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rule has been listed when the Windows Defender Firewall started.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2098,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T08:40:27.3361550+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
  },
  "event_data": {
    "RuleName": "File and Printer Sharing (LLMNR-UDP-Out)",
    "Direction": "2",
    "Protocol": "17",
    "SecurityOptions": "0",
    "Action": "3",
    "LocalOnlyMapped": "0",
    "RuleId": "{062990F7-7FDE-439C-BF2F-D49F06405B7C}",
    "RemoteUserAuthorizationList": null,
    "ApplicationPath": "C:\\Windows\\system32\\svchost.exe",
    "LocalPorts": "*",
    "Flags": "1",
    "RemotePorts": "5355",
    "Profiles": "2",
    "ServiceName": "dnscache",
    "Active": "1",
    "RemoteMachineAuthorizationList": null,
    "PolicyAppId": null,
    "LocalAddresses": "*",
    "ModifyingApplication": "C:\\Windows\\System32\\svchost.exe",
    "RemoteAddresses": "LocalSubnet",
    "ModifyingUser": "S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052",
    "LooseSourceMapped": "0",
    "Origin": "1",
    "EdgeTraversal": "0",
    "EmbeddedContext": "@FirewallAPI.dll,-28502",
    "SchemaVersion": "543",
    "RuleStatus": "65536"
  }
}

Event ID 2099: A rule has been modified in the Windows Defender Firewall exception list.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall
Level: Informational

Description

A rule has been modified in the Windows Defender Firewall exception list.

Message #

A rule has been modified in the Windows Defender Firewall exception list.

Modified Rule:
	Rule ID: %1
	Rule Name: %2
	Origin: %3
	Active: %18
	Direction: %6
	Profiles: %11
	Action: %10
	Application Path: %4
	Service Name: %5
	Protocol: %7
	Security Options: %21
	Edge Traversal: %19
	Modifying User: %22
	Modifying Application: %23
	PolicyAppId: %27
	Error Code: %28

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "guid": "D1BC9AFF-2ABF-4D71-9146-ECB2A986EB85",
    "event_source_name": "",
    "event_id": 2099,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223374235878031360,
    "time_created": "2023-11-06T01:00:42.526564+00:00",
    "event_record_id": 1285,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 18012
    },
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "RuleId": "{C4847D55-2E11-4510-9513-51B82576049A}",
    "RuleName": "Teamviewer Remote Control Service",
    "Origin": 0,
    "ApplicationPath": "C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe",
    "ServiceName": "",
    "Direction": 1,
    "Protocol": 17,
    "LocalPorts": "*",
    "RemotePorts": "*",
    "Action": 3,
    "Profiles": 4,
    "LocalAddresses": "*",
    "RemoteAddresses": "*",
    "RemoteMachineAuthorizationList": "",
    "RemoteUserAuthorizationList": "",
    "EmbeddedContext": "",
    "Flags": 1,
    "Active": 1,
    "EdgeTraversal": 0,
    "LooseSourceMapped": 0,
    "SecurityOptions": 0,
    "ModifyingUser": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "ModifyingApplication": "C:\\Users\\User\\AppData\\Local\\Temp\\cdd35c3a-7c34-11ee-936c-000c293379ba\\TeamViewer_.exe",
    "SchemaVersion": 543,
    "RuleStatus": 65536,
    "LocalOnlyMapped": 0,
    "PolicyAppId": "",
    "ErrorCode": 2
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2099: A rule has been modified in the Windows Defender Firewall exception list

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational
Level: 4

Description

A rule has been modified in the Windows Defender Firewall exception list.

Fields #

Name	Description
`RuleId` UnicodeString
`RuleName` UnicodeString
`Origin` UInt32
`ApplicationPath` UnicodeString
`ServiceName` UnicodeString
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`Protocol` UInt16	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`LocalPorts` UnicodeString
`RemotePorts` UnicodeString
`Action` UInt32
`Profiles` UInt32	Bitmask flags `0x00000001` Domain `0x00000002` Private `0x00000004` Public
`LocalAddresses` UnicodeString
`RemoteAddresses` UnicodeString
`RemoteMachineAuthorizationList` UnicodeString
`RemoteUserAuthorizationList` UnicodeString
`EmbeddedContext` UnicodeString
`Flags` UInt16
`Active` UInt16
`EdgeTraversal` UInt16
`LooseSourceMapped` UInt16
`SecurityOptions` UInt16
`ModifyingUser` SID
`ModifyingApplication` UnicodeString
`SchemaVersion` UInt16
`RuleStatus` UInt32
`LocalOnlyMapped` UInt16
`PolicyAppId` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Firewall With Advanced Security",
    "event_id": 2099,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T16:20:03.0994955+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Windows Firewall With Advanced Security"
  },
  "event_data": {
    "RuleName": "Microsoft Edge (mDNS-In)",
    "Direction": "1",
    "Protocol": "17",
    "SecurityOptions": "0",
    "ErrorCode": "2",
    "Action": "3",
    "LocalOnlyMapped": "0",
    "RuleId": "{4DFB7678-F22F-4F45-B23B-AC6CB72C5CCD}",
    "RemoteUserAuthorizationList": null,
    "ApplicationPath": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.83\\msedgewebview2.exe",
    "LocalPorts": "5353",
    "Flags": "1",
    "RemotePorts": "*",
    "Profiles": "2147483647",
    "ServiceName": null,
    "Active": "1",
    "RemoteMachineAuthorizationList": null,
    "PolicyAppId": null,
    "LocalAddresses": "*",
    "ModifyingApplication": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{489F9124-9DF6-42FB-AD9A-BDA276FE4E2D}\\EDGEMITMP_B875D.tmp\\setup.exe",
    "RemoteAddresses": "*",
    "ModifyingUser": "S-1-5-18",
    "LooseSourceMapped": "0",
    "Origin": "0",
    "EdgeTraversal": "0",
    "EmbeddedContext": "Microsoft Edge WebView2 Runtime",
    "SchemaVersion": "545",
    "RuleStatus": "65536"
  }
}

Event ID 2100: A proxy is being used with Network Isolation, and is listed as a cloud resource.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A proxy is being used with Network Isolation, and is listed as a cloud resource. Network connectivity will be affected.

Message #

A proxy is being used with Network Isolation, and is listed as a cloud resource. Network connectivity will be affected. 

 Remove the domain of the proxy from the Network Isolation policy. 

 Proxy Name: %1

Fields #

Name	Description
`ProxyName` UnicodeString

Event ID 2101: A Hyper-V Firewall Profile Setting has changed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A Hyper-V Firewall Profile Setting has changed.

Message #

A Hyper-V Firewall Profile Setting has changed.
Error Code: %1
Origin: %2
Profile Type: %3
VM Creator ID: %4
Setting: %5
	Value: %6
	Modifying User: %7
	Modifying Application: %8

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`ProfileType` UInt32
`VMCreatorId` GUID
`ProfileConfig` UInt32
`Value` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2101: A Hyper-V Firewall Profile Setting has changed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A Hyper-V Firewall Profile Setting has changed.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`ProfileType` UInt32
`VMCreatorId` GUID
`ProfileConfig` UInt32
`Value` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2102: A Hyper-V Firewall Profile Setting has reset.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A Hyper-V Firewall Profile Setting has reset.

Message #

A Hyper-V Firewall Profile Setting has reset.
Error Code: %1
Origin: %2
Profile Type: %3
VM Creator ID: %4
Setting: %5
Modifying User: %6
	Modifying Application: %7

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`ProfileType` UInt32
`VMCreatorId` GUID
`ProfileConfig` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2102: A Hyper-V Firewall Profile Setting has reset

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A Hyper-V Firewall Profile Setting has reset.

Fields #

Name	Description
`ErrorCode` UInt32
`StoreType` UInt32
`ProfileType` UInt32
`VMCreatorId` GUID
`ProfileConfig` UInt32
`ModifyingUser` SID
`ModifyingApplication` UnicodeString

Event ID 2103: A commit of an atomic transaction failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A commit of an atomic transaction failed. Rollback will begin.

Message #

A commit of an atomic transaction failed. Rollback will begin.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 2103: A commit of an atomic transaction failed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A commit of an atomic transaction failed. Rollback will begin.

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 2104: The commit of an add operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of an add operation in CSP failed.

Message #

The commit of an add operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2104: The commit of an add operation in CSP failed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of an add operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2105: The commit of an delete operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of an delete operation in CSP failed.

Message #

The commit of an delete operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2105: The commit of an delete operation in CSP failed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of an delete operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2106: The commit of a set operation in CSP failed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The commit of a set operation in CSP failed.

Message #

The commit of a set operation in CSP failed. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2106: The commit of a set operation in CSP failed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The commit of a set operation in CSP failed.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2107: A rollback of an atomic transaction completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

A rollback of an atomic transaction completed.

Message #

A rollback of an atomic transaction completed.

Error Code: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 2107: A rollback of an atomic transaction completed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

A rollback of an atomic transaction completed.

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 2108: The rollback of a delete operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Message #

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2108: The rollback of a delete operation completed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of a delete operation completed. The rollback of a delete is the addition of the rule.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2109: The rollback of an add operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Message #

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2109: The rollback of an add operation completed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of an add operation completed. The rollback of an add is deletion of the rule.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2110: The rollback of a set operation completed.

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Firewall

Description

The rollback of a set operation completed. The rollback of a set is re-setting the previous values.

Message #

The rollback of a set operation completed. The rollback of a set is re-setting the previous values. 

Rule name: %1
Error Code: %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 2110: The rollback of a set operation completed

Provider: Microsoft-Windows-Windows Firewall With Advanced Security
Channel: Operational

Description

The rollback of a set operation completed. The rollback of a set is re-setting the previous values.

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID d1bc9aff-2abf-4d71-9146-ecb2a986eb85

Defined in mpssvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3328, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Windows Firewall With Advanced Security

Event ID 0

Fields #

Example Event #

Event ID 2000: The following settings were applied to the Windows Defender Firewall at startup.

Description

Message #

Fields #

Example Event #

Event ID 2001: The following per profile settings were applied by Windows Defender Firewall.

Description

Message #

Fields #

Example Event #

Event ID 2002: A Windows Defender Firewall setting has changed.

Description

Message #

Fields #

Example Event #

Related Events #

Event ID 2003: A Windows Defender Firewall setting in the Profiles profile has changed.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2004: A rule has been added to the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

Common Indicators #

Detection Rules #

Sigma # view in coverage

Related Events #

References #

Event ID 2005: A rule has been modified in the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

Common Indicators #

Related Events #

References #

Event ID 2006: A rule has been deleted in the Windows Defender Firewall exception list.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 2007: A rule has been listed when the Windows Defender Firewall started.

Description

Message #

Fields #

Example Event #

Event ID 2008: Windows Defender Firewall Group Policy settings have changed.

Description

Message #

Example Event #

Related Events #

Event ID 2009: The Windows Defender Firewall service failed to load Group Policy.

Description

Message #

Fields #

Detection Rules #

Sigma # view in coverage

Event ID 2010: Network profile changed on an interface.

Description

Message #

Fields #

Example Event #

Event ID 2011: Windows Defender Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Description

Message #

Fields #

Example Event #

Event ID 2012: A connection security rule was added to IPsec settings.

Description