I've got this event log in windows:
2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
Windows Filtering Platform blocked a packet. Application Information:
Process ID: 0 Application Name: - Network Information:
On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown wrote:
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
> Windows Filtering Platform blocked a packet. Application Information:
Dan, eventually my rule started working -- it was after I modified that
windows decoder by swapping the /S for a /. I thought that there might
have been a space in the AUDIT_FAILURE log string that was truncating
the pattern matching too soon.
However, after swapping the /. back to /S my rule
