5158 The Windows Filtering Platform has permitted a bind to a local port

Written when the Windows Filtering Platform (WFP) permits a bind to a local port. It captures a process reserving a port.

Overview

The subcategory is Audit Filtering Platform Connection. It is generated when WFP permits a process to bind (reserve) a local port. It indicates the port-reservation stage that precedes listening or sending. The block is 5159.

How it is triggered

When a process binds a socket to a local port and it is permitted.

Security review points

You can learn which process reserved which port. A port bind by an unfamiliar process can be preparation for setting up a listener or custom communication.
Together with listen permit 5154 and connection permit 5156, track the reserve-then-listen/connect flow. Its standalone priority is moderate.

Notes for log review

It appears in volume. Full volume always-on is impractical; narrow to aggregation by process and port, or to suspicious processes.

Key fields

Field	Meaning
`Application`	The process that bound
`Source Port` / `Protocol`	The reserved port

References

Microsoft Learn: 5158(S) The Windows Filtering Platform has permitted a bind to a local port.