Forum Discussion
Defender KQL query for Windows firewall status changes?
Hi all,
I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.
So far, I have this:
4 Replies
- Marcin_GorskiCopper ContributorGI472 
 try thisSecurityEvent | where TimeGenerated > ago(30d) | where Computer == "devicename" | where EventID == "5037" or EventID == "5024" //5037 - The Windows Firewall Driver detected a critical runtime error. //5024 - The Windows Firewall Service has started successfully. | project TimeGenerated, EventID, Activity- GI472Brass ContributorHi Marcin_Gorski , Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query. If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you. I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed. Probably because they want you to buy Sentinel! - Hi GI472, - Can you check if you get any DeviceRegistryEvents once you disable the firewall? I think there is a detection opportunity over there. 
 
 
- Marcin_GorskiCopper ContributorHi GI472,
 Were you able to find out good solution?
 I would also like to know the answer to your question as it became mine.
 The query looks ok.
 I've tested it and I can find the device where the service was stopped. But the Firewall service on that device was active when I checked it with Get-NetFirewallProfile.
 And I don't see any other ActionType reference which indicates turning on the firewall service.
 Best