Forum Discussion
Defender KQL query for Windows firewall status changes?
Hi all, I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert. So...
Hi GI472,
Were you able to find out good solution?
I would also like to know the answer to your question as it became mine.
The query looks ok.
I've tested it and I can find the device where the service was stopped. But the Firewall service on that device was active when I checked it with Get-NetFirewallProfile.
And I don't see any other ActionType reference which indicates turning on the firewall service.
Best
Were you able to find out good solution?
I would also like to know the answer to your question as it became mine.
The query looks ok.
I've tested it and I can find the device where the service was stopped. But the Firewall service on that device was active when I checked it with Get-NetFirewallProfile.
And I don't see any other ActionType reference which indicates turning on the firewall service.
Best