Windows Security Log Event ID 5157

5157: The Windows Filtering Platform has blocked a connection

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event documents each time WFP allows a program to connect to another process (on the same or a remote computer) on a TCP or UDP port.

The above example is of WFP allowing the DNS Server service to connect to the DNS client on the same computer.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 5157

Application Information:

• Process ID:  Process ID specified when the executable started as logged in 4688.
• Application Name: The program executable on this computer's side of the packet transmission.

Network Information:

• Direction:
• Source Address:
• Source Port:
• Destination Address:
• Destination Port:
• Protocol:

Filter Information:

• Filter Run-Time ID:
• Layer Name:
• Layer Run-Time ID:

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

Mini-Seminars Covering Event ID 5157 How to Monitor Network Activity with the Windows Security & Firewall Logs to Detect Inbound and Outbound Attacks 5 Indicators of Evil on Windows Hosts using Endpoint Threat Detection and Response XPath Deep Dive: Building Advanced Filters for Windows Event Collection

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy