5447 A Windows Filtering Platform filter has been changed
Written when a Windows Filtering Platform (WFP) filter is changed. It captures changes to the kernel-level filter configuration.
Overview
The subcategory is Audit Other Policy Change Events. It is generated when a WFP filter (a rule defining packet allow/block) is added, changed, or deleted. It indicates a change at the WFP layer, lower-level than firewall rules (4946, etc.).
How it is triggered
- WFP filter changes by the firewall, third-party security products, or APIs.
Security review points
- A WFP filter change directly governs filtering (defense) behavior. An attacker may manipulate WFP filters to disable blocking or insert custom allows, a possible defense evasion. Note unexpected filter changes.
- Together with firewall settings change 4950, monitor network-filtering configuration changes in layers.
Notes for log review
- Legitimate security products and the firewall also change WFP filters, so the count is high. Baseline known legitimate components and narrow to changes by anything else.
Key fields
| Field | Meaning |
|---|---|
Filter information | The changed filter |
Process Name | The process that made the change |