Windows Firewall Rule Deleted

Enabled by default

Service: Microsoft Windows security auditing

Log type: Security

This log indicates that a rule has been been deleted and can indicate both malicious and non malicious behavior. It could be a simple change to reflect a security policy change or it could be an attacker attempting to allow themselves into a network.

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4948'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"MPSSVC Rule-Level Policy Change"
Disable Logging
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /Success:Enable /Failure:Enable
Language: PowerShell
Back to Windows

Windows 10 does not log this by default. To enable logging of this activity, launch the Group Policy Editor. From here, expand the Windows Logs folder and open the Security Settings tab. Then, Expand the Advanced Audit Policies - Local Group Policy tab and then the System Audit Policies- Local Group Policies tab. Then navigate to the Policy Change tab.

In the Policy Change tab, double click on the Audit MPSSVC Rule-Level Policy Change selection and select Success and Failure. This will turn on auditing for Firewall Policy events.

Windows 10 does not log this by default. To enable logging of this activity, launch Powershell as an admin. Then, to enable logging, enter the command auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /Success:Enable /Failure:Enable

To view this log in the Event Viewer, open the event viewer and navigate to the Windows Logs heading and then the Security Tab. From here, select the find function and search for the value 4948 , or filter the log for the ID 4948.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4948'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4948)]]" /f:text /c:1