5152 The Windows Filtering Platform blocked a packet (packet drop)
Written when the Windows Filtering Platform (WFP) drops (discards) a packet. It is the central event of packet-drop auditing.
Overview
The subcategory is Audit Filtering Platform Packet Drop. It is generated when WFP discards a packet based on a filter. It resembles the connection-audit 5150, but this is the packet-drop-specific subcategory.
How it is triggered
- When a packet matching a filter condition is discarded.
Security review points
- Individual drops are normal filter behavior. Aggregate by source IP and destination port and use it for the context of port scanning (attempts to many ports/hosts) or attempts at blocked C2 communication.
- If many drops come from a specific external IP, suspect scanning or attack reconnaissance.
Notes for log review
- It appears in extreme volume. Full volume always-on is impractical; narrow to aggregation of source, destination, and count, or attempts to specific destination ports.
- Its role overlaps with connection events 5150/5151.
Key fields
| Field | Meaning |
|---|---|
Source/Destination Address / Port | The dropped communication |
Direction / Protocol | Direction and protocol |