4947 A rule in the Windows Firewall exception list was modified

Written when a rule in the Windows Firewall exception list is modified. It captures loosening of defenses by rewriting an existing rule.

Overview

The subcategory is Audit MPSSVC Rule-Level Policy Change. It is generated when an existing rule in the exception list is changed. It is a rule-change event alongside addition 4946 and deletion 4948.

How it is triggered

Editing an existing firewall rule (changing the port, program, allowed scope, and so on).

Security review points

An attacker may rewrite an existing legitimate rule to widen its allowed scope (e.g. changing a specific-IP limit to allow-all), loosening defenses more quietly than a new addition. Check the content after the change (allowed ports, scope).
Note widening of inbound allows and loosening of scope (RemoteAddress). Read the rule history together with addition 4946 and deletion 4948.

Notes for log review

It also occurs during legitimate configuration changes. Evaluate by the rule’s difference (whether the allowed scope widened).
Alert narrowed to loosening changes on important rules.

Key fields

Field	Meaning
`Rule Name`	The changed rule
Post-change port/program/scope	The change
`Modifying Application`	The process that made the change

References

Microsoft Learn: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.