5148 WFP detected a DoS attack and entered a defensive mode

Written when the Windows Filtering Platform (WFP) detects a DoS attack and enters a defensive mode. Packets associated with the attack are discarded.

Overview

The subcategory is Audit Other Object Access Events. It is generated when WFP (Windows Filtering Platform: the network-filtering foundation) detects traffic amounting to a denial-of-service (DoS) and enters a defensive mode that discards attack packets.

How it is triggered

When WFP detects high-volume or anomalous traffic as a DoS.

Security review points

It indicates detection of a DoS attack (an attack that overloads a service to stop it). Check the time and target, and investigate the source and the targeted service. Paired with the end 5149, understand the attack’s duration.
Respond to it as an availability incident, together with network-device logs and bandwidth monitoring.

Notes for log review

It is rare but important. When it occurs, check the DoS scale, target, and source.
Bound the attack interval via the correspondence with the end 5149.

Key fields

Field	Meaning
Target/source info	The DoS target and associated traffic

Glossary

DoS (denial of service) — an attack that overloads a service with a flood of requests to deny legitimate use.

References

Microsoft Learn: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.