Forum Discussion

GI472's avatar
GI472
Brass Contributor
Sep 07, 2023

Defender KQL query for Windows firewall status changes?

Hi all,

 

I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.

 

So far, I have this:

 

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "FirewallServiceStopped"
| sort by Timestamp
 
However, I tested this by turning off the Windows firewall on a server and there was no alert, not even an obvious entry in the device timeline when I view all ActionTypes/events.
 
What am I doing wrong?
 
Or is there something I'm missing, like this ActionType doesn't do what I think it does, or these alerts go to Windows Event viewer, etc.?

 

  • Marcin_Gorski's avatar
    Marcin_Gorski
    Copper Contributor

    GI472 
    try this 

    SecurityEvent
    | where TimeGenerated > ago(30d)
    | where Computer == "devicename"
    | where EventID == "5037" or EventID == "5024"
    //5037 -  The Windows Firewall Driver detected a critical runtime error.
    //5024 - The Windows Firewall Service has started successfully.
    | project TimeGenerated, EventID, Activity
    • GI472's avatar
      GI472
      Brass Contributor

      Hi Marcin_Gorski ,

       

      Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query. 

       

      If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you.

       

      I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed.

       

      Probably because they want you to buy Sentinel!

      • cyb3rmik3's avatar
        cyb3rmik3
        Iron Contributor

        Hi GI472,

         

        Can you check if you get any DeviceRegistryEvents once you disable the firewall? I think there is a detection opportunity over there.

  • Marcin_Gorski's avatar
    Marcin_Gorski
    Copper Contributor
    Hi GI472,
    Were you able to find out good solution?
    I would also like to know the answer to your question as it became mine.

    The query looks ok.
    I've tested it and I can find the device where the service was stopped. But the Firewall service on that device was active when I checked it with Get-NetFirewallProfile.
    And I don't see any other ActionType reference which indicates turning on the firewall service.

    Best

Resources