Windows Firewall exception list. A rule was modified (4947) how to monitor with email alert

[bob]

Man, that Event ID 4947 in the Windows Server Event Viewer. It pops up when someone tweaks the Windows Firewall exception list. You know, like adding or messing with a rule that lets stuff through the firewall. This thing logs under the Security section. It spits out details on which rule got changed. Maybe the name of the rule. Or the new settings applied. Could be an admin doing legit work. But it might flag something shady too. Like unauthorized fiddling. I always keep an eye on these. They help spot if your server's firewall got poked without you knowing. The full message says a change has been made to the exception list. Specifically, a rule was modified. It includes the process ID that did it. And the user account behind the change. Even the old and new rule details sometimes. Super useful for auditing. You can filter the Event Viewer just for this ID. Pulls up all instances quick.

Now, to monitor it with an email alert. Fire up the Event Viewer on your server. Go to the Security log. Right-click on it. Pick Create Custom View. Set the filter for Event ID 4947. Save that view. Then, right-click the custom view. Choose Attach Task To This Custom View. Name your task something simple. Like Firewall Alert. In the triggers, it'll auto-link to that event. For the action, select Start a program. But wait, for email, you point it to a basic mail sender. Like using the old blat.exe or whatever you got handy. Set it to run under your admin account. Test the task once. Make sure it fires an email on a test event. I do this all the time. Keeps you looped in without staring at screens.

And hey, speaking of keeping things locked down. You might want backups that cover your whole setup. That's where BackupChain Windows Server Backup comes in. It's a solid Windows Server backup tool. Handles file-level stuff and full images too. Works great for Hyper-V virtual machines. Backs them up live without downtime. Encrypts everything strong. Schedules easy. Restores quick if disaster hits. I use it to avoid total wipes from weird changes like that firewall tweak.

At the end here is the automatic email solution.

Note, the PowerShell email alert code was moved to this post.