Event ID 5152 – The Windows Filtering Platform blocked a packet.
Event ID | 5152 |
Category | Object Access: Filtering Platform Packet Drop |
Type | Failure Audit |
When a network packet is blocked by the Windows Filtering Platform, event 5152 is logged. This event is logged for every received network packet.
This event log contains the following information:
- Process ID
- Application Name
- Direction
- Source Address
- Source Port
- Destination Address
- Destination Port
- Protocol
- Filter Run-Time ID
- Layer Name
- Layer Run-Time ID
Why does event ID 5152 need to be monitored?
- To monitor which applications are reported by this event
- To check if the applications reported are restricted applications
- To ensure the Source Address is one of the addresses assigned to the computer
- To check if Destination Address is an IP address from the Internet, when certain computers and devices are not allowed to have access to the Internet
- To monitor whether the Destination Addresses are on the list of allowed IP addresses
- To monitor all inbound connections to a specific local port
- To ensure the Protocol Number is not anything atypical for the device or computer
Event 5152 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools