Forum Discussion

GI472's avatar
GI472
Brass Contributor
Sep 07, 2023

Defender KQL query for Windows firewall status changes?

Hi all,   I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.   So...
investigation
learning
threat hunting
Marcin_Gorski's avatar
Marcin_Gorski
Copper Contributor
Feb 14, 2024

GI472 
try this 

SecurityEvent
| where TimeGenerated > ago(30d)
| where Computer == "devicename"
| where EventID == "5037" or EventID == "5024"
//5037 -  The Windows Firewall Driver detected a critical runtime error.
//5024 - The Windows Firewall Service has started successfully.
| project TimeGenerated, EventID, Activity
GI472's avatar
GI472
Brass Contributor
Feb 16, 2024

Hi Marcin_Gorski ,

 

Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query. 

 

If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you.

 

I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed.

 

Probably because they want you to buy Sentinel!

  • cyb3rmik3's avatar
    cyb3rmik3
    MVP
    Apr 29, 2024

    Hi GI472,

     

    Can you check if you get any DeviceRegistryEvents once you disable the firewall? I think there is a detection opportunity over there.

Resources