Object Access Event: 5148

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 5148

Event ID 5148 – The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Event ID 5148
Category Object Access: Other Object Access Events
Type Failure Audit

Event 5148 is logged when the Windows Filtering Platform detects a DoS attack and enters a defensive mode, thus causing packets associated with this attack to be discarded. This event was designed to be generated when an ICMP DoS attack starts or is detected. This event occurs very rarely.

An example of 5148 event log:

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Network Information:

Type:%1

Why does event ID 5148 need to be monitored?

The logging of this event indicates that there is an ICMP DoS attack, or that there are hardware and network device related problems. Either way, it is prudent to investigate the cause of this event.

Event 5148 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10