Windows Windows Firewall

If client workstations are taking advantage of the built-in host-based Windows Firewall, then there is value in collecting events to track the firewall status. For example, if the firewall state changes from on to off, then that log should be collected. Normal users should not be modifying the firewall rules of their local machine. The below events for the listed versions of the Windows operating system are only applicable to modifications of the local firewall settings.

Sections on this page

SIEM Events

Firewall Rule Add

Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Firewall Rule Change

Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Firewall Rules Deleted

Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Firewall Failed To Load Group Policy

Event Source - Microsoft-Windows-Windows Firewall With Advanced Security - Event Log - Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

AIS Managed SIEM

Last modified March 24, 2021