Microsoft-Windows-Windows Firewall With Advanced Security/Firewall Event ID 2071 & 2097

Marcin Górski 5

Hello,

In the Azure Sentinel Events table, I'm seeing event IDs 2071 and 2097 from Microsoft-Windows-Windows Firewall With Advanced Security/Firewall but I can't find any information about them in the official documentation.

Event ID 2071 occurs on Windows 11, and Event ID 2097 occurs on Windows 10 workstations.

Can you provide detailed information about those event IDs or direct me to find detailed information in the documentation?

Givary-MSFT 28,321 Reputation points Microsoft Employee

2023-12-27T08:48:52.84+00:00

@Marcin Górski Thank you for reaching out to us, As I understand you are looking for details on Event 2097 & Event 2071.

As these events are related to Windows firewall/Networking, Added the windows network / windows 10 network tag for more visibility.

As per my research I could find only info related to Event 2071 - FQDN based firewall rules (currently supported on Windows 11 and Windows 10 22H2).

Will search for details related to event 2097, keep you posted once i have the details.

Let me know if you have any further questions, feel free to post back.

1 answer

Kevin Herrmann 5 Reputation points

2024-04-05T15:47:43.1833333+00:00

I was just investigating why task scheduler tasks triggered by events stopped working months ago and found that, in WIndows 10, 2097 is the event for Added Rule (used to be 2004) and 2099 is the event for Modified Rule (used to be 2005), while Delete Rule remains 2006. This thread is the only thing that came up when I Googled this, so it appears undocumented by Microsoft and adding this in case it helps anyone who does likewise.
Please sign in to rate this answer.

1 person found this answer helpful.
Marcin Górski 20 Reputation points

2024-04-09T10:55:10.08+00:00

Thank you @Kevin Herrmann
Sign in to comment