Forum Discussion
Defender KQL query for Windows firewall status changes?
Hi all, I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert. So...
Hi Marcin_Gorski ,
Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query.
If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you.
I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed.
Probably because they want you to buy Sentinel!
