Windows Firewall Connection Log
WindowsSystem ConfigurationDisk ImageSIEM / Log Aggregator
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx and C:\Windows\System32\LogFiles\Firewall\pfirewall.logDescription
Windows Firewall event log capturing Events 5156/5157 (allowed/blocked connections) with process ID, application path, source/destination IP and port. Also includes pfirewall.log text file when logging is enabled.
Forensic Value
Windows Firewall logs provide per-process network connection visibility without requiring Sysmon. Event 5156 records every allowed connection with the responsible application path, enabling detection of unusual processes making outbound connections. Event 5157 blocked connection logs reveal port scanning and lateral movement attempts that were stopped. When Sysmon Event 3 is unavailable, these logs are the best alternative for process-to-network attribution.
Tools Required
KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerLog Parser
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs,FirewallLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" --csv C:\output --csvf Firewall.csv
PowerShell
Copy-Item "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Destination C:\output\
Log Parser
LogParser.exe "SELECT * FROM C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -i:W3C -o:CSV > C:\output\firewall_parsed.csv
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
T1562.004T1046