Event ID 5156 – The Windows Filtering Platform has permitted a connection.
|Category||Object Access: Filtering Platform Connection|
Windows logs event 5156 whenever the WFP allows for a connection between a program and a process via a TCP or UDP port. This other process can be on the same computer or a remote one. The process ID mentioned in this log will correspond to the process ID in the event 4688 log.
This event log contains the following information:
- Process ID
- Application Name
- Source Address
- Source Port
- Destination Address
- Destination Port
- Filter Run-Time ID
- Layer Name
- Layer Run-Time
Why does event ID 5156 need to be monitored?
- To ensure specific applications do not perform certain operations
- To monitor restricted applications
- To ensure that the source address does not indicate external activity
- To monitor whether the destination address is an IP address from the Internet
- To ensure only whitelisted IP addresses are connected to
- To check the protocol that is being used by certain applications
Event 5156 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10