Skip to content

Windows Firewall

windows_firewall

About

Windows Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network.

Product Details

Vendor URL: Windows Firewall

Product Type: Host-based Firewall

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Syslog Integration - Cyderes Documentation

Log Guide: www.learn.microsoft.com

Parser Details

Log Format: JSON

Expected Normalization Rate: 90%

Data Label: WINDOWS_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AccountName principal.user.userid
AccountType principal.user.role_description
Channel observer.application
Domain principal.administrative_domain
EventID metadata.product_event_type
Hostname principal.hostname
LocalPorts principal.port
ModifyingApplication target.application
ModifyingUser security_result.about.user.userid
ProcessID principal.process.pid
ProviderGuid metadata.product_log_id
RuleId security_result.rule_id
RuleName security_result.rule_name
Severity security_result.severity
Severity security_result.severity_details
SourceName principal.application
UserID principal.user.windows_sid

Product Event Types

Some products we only support certain event types. Here are the supported Windows Firewall Event IDs.

Windows Event ID Event Description UDM Event Classification
2004 "A rule has been added to the Windows Firewall exception list" "RESOURCE_CREATION"
2005 "A rule has been modified in the Windows Firewall exception list." "RESOURCE_WRITTEN"
2006 "A rule has been deleted in the Windows Firewall exception list." "RESOURCE_DELETION"
2011 "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." "GENERIC_EVENT"
2033 "All rules have been deleted from the Windows Firewall configuration on this computer." "RESOURCE_DELETION"

Log Sample

{"EventTime":"2022-09-29T02:49:11.358751-05:00","Hostname":"Hostname1","Keywords":-9223369837831520256,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":2004,"SourceName":"Microsoft-Windows-Windows Firewall With Advanced Security","ProviderGuid":"{EXAMPLE-GUID}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":8325,"ProcessID":2900,"ThreadID":27524,"Channel":"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall","Domain":"NT AUTHORITY","AccountName":"LOCAL SERVICE","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"A rule has been added to the Windows Defender Firewall exception list.\r\n\r\nAdded Rule:\r\n\tRule ID:\t{387c428e-411d-43fa-8d68-2e504c206db6}\r\n\tRule Name:\tInternet Connection Sharing (DHCP Server-In)\r\n\tOrigin:\tDynamic\r\n\tActive:\tNo\r\n\tDirection:\tInbound\r\n\tProfiles:\tPrivate,Domain, Public\r\n\tAction:\tAllow\r\n\tApplication Path:\tC:\\WINDOWS\\system32\\svchost.exe\r\n\tService Name:\tSharedAccess\r\n\tProtocol:\tUDP\r\n\tSecurity Options:\tC:\\Windows\\System32\\svchost.exe\r\n\tEdge Traversal:\tNone\r\n\tModifying User:\t542\r\n\tModifying Application:\t65536","Opcode":"Info","RuleId":"{387c428e-411d-43fa-8d68-2e504c206db6}","RuleName":"Internet Connection Sharing (DHCP Server-In)","Origin":"3","ApplicationPath":"C:\\WINDOWS\\system32\\svchost.exe","ServiceName":"SharedAccess","Direction":"1","Protocol":"17","LocalPorts":"67","RemotePorts":"*","Action":"3","Profiles":"7","LocalAddresses":"*","RemoteAddresses":"*","EmbeddedContext":"@ipnathlp.dll,-140","Flags":"1","Active":"1","EdgeTraversal":"0","LooseSourceMapped":"0","SecurityOptions":"0","ModifyingUser":"S-1-5-18","ModifyingApplication":"C:\\Windows\\System32\\svchost.exe","SchemaVersion":"542","RuleStatus":"65536","LocalOnlyMapped":"0","EventReceivedTime":"2022-09-29 02:49:22","SourceModuleName":"windows_firewall","SourceModuleType":"im_msvistalog"}

Sample Parsing

metadata.event_timestamp = "2022-09-29T02:49:11.358751z"
metadata.event_type = RESOURCE_CREATION
metadata.product_event_type = 2004
metadata.product_log_id = "{EXAMPLE-GUID}"
observer.application = "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
metadata.description = "A rule has been added to the Windows Firewall exception list"
principal.administrative_domain = "NT AUTHORITY"
principal.application = "Microsoft-Windows-Windows Firewall With Advanced Security"
principal.hostname = "Hostname1"
principal.port = "67"
principal.process.pid = "2900"
principal.user.role_description = "Well Known Group"
principal.user.userid = "LOCAL SERVICE"
principal.user.windows_sid = "S-1-5-19"
security_result.about.user.userid = "S-1-5-18"
security_result.rule_id = {387c428e-411d-43fa-8d68-2e504c206db6}
security_result.rule_name = "Internet Connection Sharing (DHCP Server-In)"
security_result.severity = INFORMATIONAL
security_result.severity_details = "INFO"
target.application = "C:\\Windows\\System32\\svchost.exe"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon