I am able to get windows filtering platform (firewall) event log into Splunk. I have all the information such as destination, source, port, application, protocol.... however the only thing I am missing is Local Principals Users, I have googled and visited many sites and it seem like such valuable information is not being captured in the Event Log. Does anyone know how to get such information. I need to know which user is using the application, furthermore I want to use such information to tighten the firewall such as only allowing user1 to use application XYZ to visit 1.1.1.1
I know some of you might suggest AppLocker but, I run into a situation where I want to allow user2 to visit 1.1.1.2 but not 1.1.1.1, using AppLocker would block out user2.
Here are some of event logs for windows filtering platform from Microsoft website. No indication that it logs "Local Principals Users". Is there verbosity that I can increased?
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157
