Windows-itpro-docs: windows event log 5155 xml example

Created on 18 Apr 2019 · 9Comments · Source: MicrosoftDocs/windows-itpro-docs

this page hasn't xml exmple, below is my test result:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5155</EventID> <Version>0</Version> <Level>0</Level> <Task>12810</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" /> <EventRecordID>42196</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="2788" /> <Channel>Security</Channel> <Computer>NATHAN-AGENT2</Computer> <Security /> </System> <EventData> <Data Name="ProcessId">2628</Data> <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data> <Data Name="SourceAddress">0.0.0.0</Data> <Data Name="SourcePort">5555</Data> <Data Name="Protocol">6</Data> <Data Name="FilterRTID">84576</Data> <Data Name="LayerName">%%14609</Data> <Data Name="LayerRTID">40</Data> </EventData> </Event>

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 0943318f-92e2-329e-fff9-d79c18052ca2
Version Independent ID: b6d66637-3b95-cb11-3d28-994409d5ed5d
Content: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
Content Source: windows/security/threat-protection/auditing/event-5155.md
Product: w10
Technology: windows
GitHub Login: @Mir0sh
Microsoft Alias: justinha

security

Source

audi5411

Most helpful comment

@audi5411

With the help of your feedback, the content has been updated with relevant changes accordingly. Thanks.

e0i on 7 Sep 2019

🎉1 👍1

All 9 comments

Github pro tip: use 3 back ticks ``` ( or 3 tildes ~~~ ) on a blank line above your inserted code to create a code block fence (Github MarkDown formatting language) so the code keeps its indents, tags and markers.
Attempt to reformat your output, using "XML Formatter online":

<Event
    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5155</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12810</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" />
        <EventRecordID>42196</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="2788" />
        <Channel>Security</Channel>
        <Computer>NATHAN-AGENT2</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name="ProcessId">2628</Data>
        <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
        <Data Name="SourceAddress">0.0.0.0</Data>
        <Data Name="SourcePort">5555</Data>
        <Data Name="Protocol">6</Data>
        <Data Name="FilterRTID">84576</Data>
        <Data Name="LayerName">%%14609</Data>
        <Data Name="LayerRTID">40</Data>
    </EventData>
</Event>

I have closed the code block fence using 3 back ticks ( ``` )
in addition to using 3 back ticks + xml as the leading line above the code block.

Example: ```xml

illfated on 18 Apr 2019

👍1

@audi5411 : As you can see in issue https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3291, the PR Auditing: Add an event example in event-5159.md #3303 has been accepted and we can go ahead with your desired plan to add information to the other issues (open a new issue ticket for the pages in need of more info) and only provide the first image + XML for the new page. (You have already created this issue ticket, so you only need to open one each for 5150 & 5151.)

illfated on 20 Apr 2019

😄1 👍1

@officedocsbot assign @e0i

e0i on 25 May 2019

@audi5411 : Do you have any updates for examples of the events 5150 and 5151?

edit: Sorry, it looks like I have forgotten to follow up on event 5155. I need to start a PR for it.

illfated on 25 May 2019

@illfated : i worked for other things after post feedback. so i don't have example. sorry~

audi5411 on 25 May 2019

Fair enough, we are after all simply contributing in our spare time. I will keep an eye out for if someone else opens up issue tickets for those other pages.

illfated on 25 May 2019

added xml from the example provided by @audi5411 , also added event description and filed descriptions.