Active rule currently published.
This rule is detects that the Windows Filtering Platform blocked a packet. This event logs all the particulars about a blocked packet, including the filter that caused the block.
Application Information: Process ID: process ID specified when the executable started as logged in 4688 Application Name: the program executable on this computer's side of the packet transmission
Examples of this alert from the Windows Endpoint
Examples of 5152 The Windows Filtering Platform blocked a packet.
Process ID: 1132 Application Name: \device\harddiskvolume1\windows\system32 \svchost.exe
Direction: Inbound Source Address: 18.104.22.168 Source Port: 5355 Destination Address: 10.42.42.213 Destination Port: 56253 Protocol: 17
Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. Instead, if you do not wish to be alerted when a specific file or files in a particular directory change, please log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
If you do not wish to monitor the file or directory reported as changed, log into the ASL GUI, click on the ASL tab, select the File Integrity menu options and modify your configuration to ignore this file or directory.
Knowledge Base Articles