How SOC Teams Detect Malware and Suspicious Network Activity Using Windows Defender & Firewall Logs
It usually starts with something small.
A finance employee clicks a fake invoice attachment. Nothing crashes. No ransomware popup appears. The user continues working normally while, in the background, malware silently establishes outbound connections to a command-and-control server.
Hours later, sensitive company data begins leaving the network.
In many real-world enterprise breaches, the first indicators are not flashy malware alerts or dramatic system failures. Instead, the earliest warning signs often appear inside Windows Defender logs, Windows Firewall events, and Security Event IDs that most organizations rarely monitor properly.
Modern SOC teams heavily rely on Windows Event Logs to detect malware infections, suspicious outbound traffic, disabled security services, and attacker persistence techniques. Event IDs like 1116, 5025, and 5156 are frequently involved in incident investigations because they reveal exactly when malware was detected, when defenses were disabled, and what network connections were allowed.
In this guide, we’ll break down how cybersecurity professionals use Windows Defender and Firewall logs in real-world environments to detect threats, investigate suspicious activity, and improve enterprise visibility.
Table of Contents
- Why Windows Defender & Firewall Logs Matter
- Event ID 1116 – Malware Detection
- Event ID 5025 – Windows Firewall Service Stopped
- Event ID 5156 – Allowed Network Connection
- Real-World Attack Scenario
- Using PowerShell to Search Multiple Event IDs
- SOC Investigation Workflow
- Detection & Prevention Techniques
- Expert SOC Tips
- FAQ
- Conclusion
Why Windows Defender & Firewall Logs Matter?
Many organizations invest heavily in EDR tools, SIEM platforms, threat intelligence feeds, and advanced detection systems. Yet attackers still compromise environments because basic Windows logging is either disabled, ignored, or improperly configured.
Windows Defender and Windows Firewall logs provide critical telemetry that helps defenders answer essential questions:
- Was malware detected on the system?
- Did someone disable security protections?
- What outbound connections were allowed?
- Which process communicated externally?
- Was suspicious remote access established?
- Did attackers attempt lateral movement?
These logs are especially valuable because they are native to Windows environments and available across most enterprise systems without requiring expensive third-party tools.
For SOC analysts, these events become part of the early-warning system used to identify:
- Malware infections
- Command-and-control traffic
- Privilege escalation
- Defense evasion
- Persistence mechanisms
- Insider threats
- Data exfiltration attempts
Event ID 1116 – Malware Detected by Windows Defender
What Is Event ID 1116?
Event ID 1116 is generated when Microsoft Defender detects malware or potentially malicious software on a Windows system.
This event is one of the most important Defender alerts because it provides immediate visibility into malicious activity occurring on the endpoint.
What Analysts Look For?
When Event ID 1116 appears, SOC analysts investigate several key elements:
- Malware name or threat family
- Affected file path
- User account involved
- Detection timestamp
- Whether remediation succeeded
- Associated process execution
Common Real-World Scenarios
- User downloads a malicious ZIP attachment
- PowerShell-based malware execution
- Trojanized software installers
- Credential-stealing malware
- Cryptominer infections
- Ransomware loaders
Why It Matters?
Attackers frequently test malware variants against antivirus engines before deployment. If Event ID 1116 appears, defenders should never assume the threat was fully contained automatically.
Advanced malware may:
- Execute before quarantine
- Establish persistence first
- Create scheduled tasks
- Inject into legitimate processes
- Disable logging mechanisms
Experienced SOC teams always correlate Event ID 1116 with:
- PowerShell logs
- Process creation events
- Firewall connection logs
- Remote login activity
- DNS requests
Event ID 5025 – Windows Firewall Service Stopped
What Is Event ID 5025?
Event ID 5025 indicates that the Windows Firewall service was stopped.
This is an extremely high-risk event in enterprise environments because attackers often disable security services to avoid detection.
Why Attackers Disable Firewalls?
Cybercriminals disable Windows Firewall for several reasons:
- To establish unrestricted outbound communication
- To bypass detection rules
- To enable remote access tools
- To expose services internally
- To simplify lateral movement
Real-World Red Flags
Event ID 5025 becomes especially dangerous when combined with:
- Suspicious PowerShell activity
- New administrative accounts
- Remote desktop logins
- Scheduled task creation
- Encoded command execution
- Unsigned executable launches
Important Investigation Questions
- Who stopped the firewall service?
- Was it manual or malware-driven?
- What happened immediately afterward?
- Were outbound connections established?
- Did persistence mechanisms appear?
In mature SOC environments, Event ID 5025 usually triggers immediate alerts because disabling firewall protections is strongly associated with active compromise.
Event ID 5156 – Allowed Network Connection
What Is Event ID 5156?
Event ID 5156 records network connections allowed by the Windows Filtering Platform.
This event is incredibly valuable for threat hunting because it shows which processes are communicating across the network.
Why SOC Teams Monitor It?
Attackers almost always require outbound communication for:
- Data exfiltration
- Command-and-control traffic
- Payload downloads
- Credential theft operations
- Remote shell access
Event ID 5156 helps analysts identify:
- Unexpected outbound traffic
- Connections to malicious IP addresses
- Rare network destinations
- Processes making suspicious requests
- Beaconing behavior
Important Fields Inside Event 5156
| Field | Description |
| Application Name | Process making the network connection |
| Source Address | Local machine IP address |
| Destination Address | Remote IP address |
| Destination Port | Target port used |
| Protocol | TCP or UDP communication |
Suspicious Examples
- PowerShell.exe connecting externally
- cmd.exe making outbound traffic
- Office applications contacting unknown IPs
- Unsigned executables communicating over HTTPS
- Frequent DNS beaconing patterns
Real-World Attack Scenario
A US-based healthcare organization experienced a phishing attack targeting HR employees.
An employee opened a malicious Excel attachment containing an embedded macro. The macro launched PowerShell silently in the background.
The attacker’s malware performed several actions:
- Downloaded a remote payload
- Disabled Windows Firewall
- Established outbound encrypted communication
- Created persistence using scheduled tasks
- Attempted lateral movement across the network
During the investigation, SOC analysts identified the following timeline:
| Timestamp | Event |
| 09:12 AM | PowerShell execution detected |
| 09:13 AM | Event ID 1116 triggered by Defender |
| 09:14 AM | Event ID 5025 firewall service stopped |
| 09:15 AM | Event ID 5156 outbound connection established |
| 09:18 AM | Remote credential dumping activity observed |
Without proper log monitoring, the attack could have remained undetected for days.
Using PowerShell to Search Multiple Event IDs
SOC analysts frequently use PowerShell to quickly investigate multiple Windows Event IDs during threat hunting or incident response.
PowerShell Command
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4624, 4625, 4672)} | Format-Table TimeCreated, Id, Message -AutoSizeWhat This Command Does?
This PowerShell command searches the Windows Security log for multiple Event IDs simultaneously.
Included Event IDs
- 4624 – Successful logon
- 4625 – Failed logon attempt
- 4672 – Special privileges assigned
Why Analysts Use It?
Instead of manually searching through thousands of logs, analysts can quickly identify:
- Brute-force login attempts
- Administrative logins
- Privilege escalation
- Suspicious authentication patterns
Expected Output
The command displays:
- Event timestamp
- Event ID
- Detailed event message
This helps responders build attack timelines faster during investigations.
SOC Investigation Workflow
Step 1 – Confirm Malware Detection
Start with Defender alerts like Event ID 1116.
Determine:
- Threat family
- Affected hosts
- Execution status
- User context
Step 2 – Check for Defense Evasion
Look for Event ID 5025 and related service modifications.
Investigate:
- Firewall policy changes
- Defender exclusions
- Tamper protection alerts
Step 3 – Analyze Outbound Connections
Use Event ID 5156 to identify:
- Suspicious IP addresses
- Beaconing intervals
- Unusual ports
- Rare external destinations
Step 4 – Correlate Authentication Activity
Review:
- 4624 successful logins
- 4625 failed logins
- 4672 privilege assignments
- RDP session activity
Step 5 – Build the Attack Timeline
Combine all relevant events into a chronological investigation timeline.
This helps determine:
- Initial access vector
- Attacker objectives
- Lateral movement
- Persistence methods
- Data exfiltration attempts
Detection & Prevention Techniques
Enable Advanced Logging
Many organizations still operate with incomplete Windows auditing policies.
Enable:
- PowerShell logging
- Script block logging
- Process creation auditing
- Firewall auditing
- Defender advanced telemetry
Monitor Security Service Changes
Create SIEM alerts for:
- Firewall service stopped
- Defender disabled
- Audit logs cleared
- Logging configuration changes
Inspect Outbound Traffic
Most malware eventually needs outbound communication.
Monitor:
- Rare domains
- New IP destinations
- Geo-anomalous traffic
- Encrypted outbound connections
- High-frequency beaconing
Use Behavioral Detection
Static signatures alone are not enough.
Modern SOC teams focus heavily on:
- Behavioral analytics
- Anomaly detection
- User behavior monitoring
- Process correlation
Expert SOC Tips
Don’t Ignore “Allowed” Connections
Many analysts only focus on blocked traffic.
In reality, Event ID 5156 allowed connections are often more important because successful attacker communication is usually hidden there.
Baseline Normal Behavior
Without baseline visibility, defenders cannot distinguish malicious behavior from legitimate enterprise traffic.
Track:
- Common applications
- Normal outbound destinations
- Administrative behavior
- Typical login patterns
Correlate Multiple Logs Together
Single logs rarely tell the full story.
Real threat detection comes from combining:
- Defender alerts
- Firewall events
- Authentication logs
- PowerShell telemetry
- DNS activity
- Process execution data
Automate Alerting Carefully
Over-alerting creates analyst fatigue.
Prioritize alerts involving:
- Security control tampering
- Rare outbound destinations
- Administrative privilege escalation
- Encoded PowerShell commands
- Unsigned binaries
Related Cybersecurity Topics You Should Explore
- Hackers Love RDP: How SOC Teams Detect Suspicious Windows Remote Desktop Logins
- Windows Event IDs 106, 140, and 141 Could Reveal Hidden Malware Persistence
- PowerShell Attack Detection: How SOC Teams Catch Hackers Using Event ID 4103 & 4104
- This “Ignored” Windows Log Is Exposing Hackers — Are You Watching Application.evtx?
- This One Log File Reveals Every Hacker Move — Are You Checking Security.evtx?
- You’re Ignoring This Windows Log… And Hackers Love It (System.evtx Guide 2026)
- Detect Unauthorized Logins Before It’s Too Late: Event ID 4625 Guide (2026)
FAQ
What is Event ID 1116 in Windows Defender?
Event ID 1116 indicates malware or potentially malicious software was detected by Microsoft Defender.
Why is Event ID 5025 dangerous?
It shows the Windows Firewall service was stopped, which may indicate defense evasion by attackers or malware.
What does Event ID 5156 show?
It records allowed network connections through the Windows Filtering Platform, helping analysts monitor outbound communication.
Can attackers disable Windows Firewall?
Yes. Many malware families and post-exploitation frameworks attempt to disable firewall protections to avoid detection and enable unrestricted communication.
Why do SOC teams monitor outbound traffic?
Outbound traffic often reveals command-and-control communication, malware downloads, and data exfiltration attempts.
Is Windows Defender logging enough for enterprise security?
Windows Defender logs are valuable, but they should be combined with SIEM monitoring, endpoint detection tools, and behavioral analytics for stronger protection.
How can I improve Windows log visibility?
Enable advanced auditing policies, PowerShell logging, Defender telemetry, process creation logs, and centralized SIEM collection.
Conclusion
Windows Defender and Firewall logs remain some of the most underrated yet powerful data sources in enterprise cybersecurity.
While attackers constantly evolve their techniques, they still leave traces behind — malware detections, disabled security services, suspicious outbound connections, and unusual authentication activity.
Event IDs like 1116, 5025, and 5156 help SOC teams uncover those traces before a small compromise becomes a full-scale breach.
The difference between a contained incident and a major compromise often comes down to visibility.
Organizations that actively monitor Windows logs, correlate events intelligently, and investigate suspicious behavior early are far more likely to stop attackers before serious damage occurs.
In modern cybersecurity, logs are no longer just records.
They are evidence, early warnings, and sometimes the only clues defenders have.