ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security operations center showing Event Viewer with network security audit logs and monitoring dashboards
Event ID 5156InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5156 – Microsoft-Windows-Security-Auditing: Network Connection Allowed by Windows Filtering Platform

Event ID 5156 logs when Windows Filtering Platform allows a network connection. This security audit event tracks permitted inbound and outbound connections for compliance and network monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5156Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5156 represents a fundamental component of Windows network security auditing. When the Windows Filtering Platform evaluates network traffic and determines that a connection should be allowed based on configured firewall rules and policies, it generates this audit event to create a permanent record of the permitted activity.

The event contains comprehensive connection metadata including the process ID and executable path of the application initiating or receiving the connection, the user account context, source and destination IP addresses with port numbers, and the network protocol used. This granular information makes Event ID 5156 particularly valuable for forensic analysis and compliance reporting.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event structure to include additional context about container networking and improved IPv6 support. The event now provides better visibility into modern networking scenarios including Windows Subsystem for Linux (WSL) connections and containerized applications.

Organizations typically see high volumes of Event ID 5156 entries on busy servers and workstations. While this provides excellent visibility into network activity, it can also generate significant log volume that requires careful management and filtering to extract meaningful security insights from the audit trail.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Windows Firewall allows an inbound connection based on configured rules
  • Application initiates an outbound connection that passes firewall filtering
  • Network service accepts incoming connections on listening ports
  • VPN client establishes tunnel connections through the filtering platform
  • Remote Desktop Protocol (RDP) sessions are established and permitted
  • Web browsers create HTTPS connections to external websites
  • Email clients connect to mail servers using SMTP, POP3, or IMAP protocols
  • File sharing services like SMB accept network connections
  • Database applications establish client-server connections
  • Windows Update service downloads updates from Microsoft servers
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific connection details in Event Viewer to understand what triggered the allowed connection.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log for Event ID 5156 by right-clicking SecurityFilter Current Log
  4. Enter 5156 in the Event IDs field and click OK
  5. Double-click on a recent Event ID 5156 entry to view detailed information
  6. Review key fields in the event details:
    • Process Information: Shows the executable path and process ID
    • Network Information: Contains source/destination IPs and ports
    • Filter Information: Displays the firewall rule that allowed the connection
Pro tip: Look for unusual process paths or unexpected network destinations that might indicate malicious activity.
02

Query Events with PowerShell for Analysis

Use PowerShell to efficiently query and analyze Event ID 5156 entries for patterns and anomalies.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 5156 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific process or application:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} | Where-Object {$_.Message -like '*chrome.exe*'} | Select-Object TimeCreated, Message
  4. Analyze connection patterns by destination port:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} -MaxEvents 1000 | ForEach-Object {if($_.Message -match 'Destination Port:\s+(\d+)'){$matches[1]}} | Group-Object | Sort-Object Count -Descending
  5. Export events to CSV for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} -MaxEvents 500 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\temp\Event5156_Analysis.csv" -NoTypeInformation
Warning: Querying large numbers of security events can impact system performance. Use -MaxEvents to limit results.
03

Configure Audit Policy Settings

Manage the generation of Event ID 5156 by configuring Windows audit policies for filtering platform connections.

  1. Open Local Group Policy Editor by pressing Win + R, typing gpedit.msc, and pressing Enter
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesObject Access
  3. Double-click Audit Filtering Platform Connection
  4. Configure the policy based on your monitoring requirements:
    • Check Success to log allowed connections (Event ID 5156)
    • Check Failure to log blocked connections (Event ID 5157)
    • Uncheck both to disable connection auditing
  5. Click OK and run gpupdate /force to apply changes immediately
  6. Alternatively, use auditpol command line:
    # Enable success auditing for filtering platform connections
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable

# Disable all filtering platform connection auditing
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
Pro tip: Consider the log volume impact before enabling this audit policy on high-traffic servers.
04

Analyze Network Traffic Patterns and Security Implications

Perform advanced analysis of Event ID 5156 data to identify security patterns and potential threats.

  1. Create a PowerShell script to analyze connection patterns:
    # Analyze Event ID 5156 for security patterns
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156} -MaxEvents 2000

# Extract connection details
$Connections = foreach ($Event in $Events) {
    if ($Event.Message -match 'Process Name:\s+(.+?)\r\n.*Source Address:\s+([\d\.]+).*Destination Address:\s+([\d\.]+).*Destination Port:\s+(\d+)') {
        [PSCustomObject]@{
            TimeCreated = $Event.TimeCreated
            ProcessName = $matches[1]
            SourceIP = $matches[2]
            DestinationIP = $matches[3]
            DestinationPort = $matches[4]
        }
    }
}

# Identify top processes by connection count
$Connections | Group-Object ProcessName | Sort-Object Count -Descending | Select-Object Name, Count
  2. Identify unusual outbound connections:
    # Find connections to external IPs (not RFC 1918 private ranges)
$ExternalConnections = $Connections | Where-Object {
    $_.DestinationIP -notmatch '^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)'
}

$ExternalConnections | Group-Object DestinationIP | Sort-Object Count -Descending
  3. Monitor for suspicious process behavior:
    # Look for processes connecting to multiple external destinations
$SuspiciousProcesses = $ExternalConnections | Group-Object ProcessName | Where-Object {$_.Count -gt 10}
$SuspiciousProcesses | ForEach-Object {Write-Host "$($_.Name): $($_.Count) external connections" -ForegroundColor Yellow}
  4. Set up automated monitoring with scheduled tasks or monitoring solutions
Warning: High volumes of external connections from unexpected processes may indicate malware or data exfiltration.
05

Integrate with SIEM and Log Management Solutions

Configure enterprise-level monitoring and analysis of Event ID 5156 for comprehensive network security visibility.

  1. Configure Windows Event Forwarding to centralize Event ID 5156 collection:
    # Create custom event subscription XML
$SubscriptionXML = @"
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>NetworkConnections</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward Event ID 5156 network connections</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=5156]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
</Subscription>
"@

# Save and create subscription
$SubscriptionXML | Out-File -FilePath "C:\temp\NetworkConnections.xml"
wecutil cs "C:\temp\NetworkConnections.xml"
  2. Configure log parsing rules in your SIEM solution to extract key fields from Event ID 5156
  3. Create correlation rules to detect:
    • Unusual connection patterns
    • Connections from unauthorized processes
    • High-volume data transfers
    • Connections to known malicious IP addresses
  4. Set up automated alerting for suspicious network activity patterns
  5. Implement log retention policies to balance storage costs with compliance requirements
  6. Use PowerShell to create custom dashboards:
    # Generate daily network connection summary
$Today = Get-Date -Format "yyyy-MM-dd"
$TodayEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5156; StartTime=(Get-Date).Date}

Write-Host "Network Connection Summary for $Today" -ForegroundColor Green
Write-Host "Total Connections: $($TodayEvents.Count)"
Write-Host "Unique Processes: $(($TodayEvents | ForEach-Object {if($_.Message -match 'Process Name:\s+(.+?)\r\n'){$matches[1]}} | Sort-Object -Unique).Count)"
Write-Host "Peak Hour: $(($TodayEvents | Group-Object {$_.TimeCreated.Hour} | Sort-Object Count -Descending | Select-Object -First 1).Name):00"
Pro tip: Use Windows Performance Toolkit (WPT) for advanced network performance correlation with Event ID 5156 data.

Overview

Event ID 5156 fires whenever the Windows Filtering Platform (WFP) allows a network connection to proceed. This security audit event appears in the Security log and provides detailed information about permitted network traffic, including source and destination IP addresses, ports, protocols, and the process responsible for the connection.

The Windows Filtering Platform is the core networking component that replaced the legacy TCP/IP filtering in Windows Vista and later versions. When audit policies are configured to track filtering platform connections, Event ID 5156 generates entries for every allowed connection, making it valuable for security monitoring, compliance auditing, and network troubleshooting.

This event commonly appears on systems with active network monitoring policies, particularly in enterprise environments where administrators need to track network activity for security compliance. The event provides granular details about each connection, including the application path, user context, and network layer information that can help identify legitimate traffic patterns and potential security concerns.

Frequently Asked Questions

What does Event ID 5156 mean and when does it appear?+
Event ID 5156 indicates that the Windows Filtering Platform has allowed a network connection to proceed. It appears whenever an inbound or outbound network connection passes through the Windows firewall and filtering rules successfully. The event logs detailed information about the connection including the process, IP addresses, ports, and protocols involved. This event is part of Windows security auditing and only appears when audit policies are configured to track filtering platform connections.
How can I reduce the volume of Event ID 5156 entries in my Security log?+
You can reduce Event ID 5156 volume by modifying the audit policy configuration. Use Group Policy Editor to navigate to Advanced Audit Policy Configuration → Object Access → Audit Filtering Platform Connection and disable success auditing. Alternatively, use the command 'auditpol /set /subcategory:"Filtering Platform Connection" /success:disable'. You can also implement log filtering at the SIEM level to focus on specific processes or network destinations while still maintaining the audit trail for compliance purposes.
Can Event ID 5156 help detect malware or unauthorized network activity?+
Yes, Event ID 5156 is valuable for detecting suspicious network activity. Look for unusual patterns such as unknown processes making external connections, connections to suspicious IP addresses, or abnormal connection volumes from specific applications. Malware often generates distinctive network patterns that can be identified through analysis of these events. Combine Event ID 5156 data with threat intelligence feeds and behavioral analysis to identify potential security incidents. However, legitimate applications also generate these events, so baseline normal activity first.
What information is included in Event ID 5156 and how do I interpret it?+
Event ID 5156 contains comprehensive connection metadata including: Process Information (executable path and process ID), Network Information (source and destination IP addresses and ports, protocol), Security Information (user account context), and Filter Information (which firewall rule allowed the connection). The Direction field indicates whether it's inbound or outbound traffic. Layer Name shows the network stack layer where filtering occurred. This information helps identify the application responsible for the connection and understand the network communication pattern.
How does Event ID 5156 differ from Event ID 5157 and other network-related events?+
Event ID 5156 logs allowed connections, while Event ID 5157 logs blocked connections by the Windows Filtering Platform. Event ID 5158 logs when the filtering platform permits a bind operation to a local port. Event ID 5159 logs blocked bind operations. Together, these events provide complete visibility into network filtering decisions. Event ID 5156 is typically the most common since it logs all successful network activity, while 5157 only appears when connections are actively blocked by firewall rules or policies.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceOfficial Microsoft documentation covering Windows security auditing events including Event ID 5156 and filtering platform connection auditing.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Filtering Platform ArchitectureTechnical documentation explaining the Windows Filtering Platform architecture and how it generates security audit events.https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5156#windows-security#network-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...