System32
Sysmon
Events
Compliance
Validator
TLS/SSL
GeoIP
Tools
Windows Security Events
Audit Category
Policy Change
(4)
Object Access
(2)
Operating Systems
Windows 10
(6)
Windows 2008
(6)
Windows 2008 R2
(6)
Windows 2012
(6)
Windows 2012 R2
(6)
Windows 2016
(6)
Windows 2019
(6)
Windows 2022
(6)
Windows 7
(6)
Windows 8
(6)
Windows 8.1
(6)
Windows Vista
(6)
Windows 11
(5)
Windows 2025
(3)
Tags
Audit Success
(3)
Auditing
Rarely
(5)
Conditional
(1)
Volume
High
(3)
Low
(3)
Medium
(2)
Very high
(1)
Audit Subcategory
Filtering Platform Policy Change
(3)
Filtering Platform Connection
(2)
Other Policy Change Events
(1)
AppLocker
All AppLocker events
EventSentry
All EventSentry events
Security
All Windows Security events
Sysmon
All Sysmon events
ID
Event Description
5156
The Windows Filtering Platform has allowed a connection.
Audit Success
5158
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
5440
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5446
A Windows Filtering Platform callout has been changed.
5447
A Windows Filtering Platform filter has been changed.
Audit Success