Hi all,
I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.
So far, I have this:
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "FirewallServiceStopped"
| sort by Timestamp
However, I tested this by turning off the Windows firewall on a server and there was no alert, not even an obvious entry in the device timeline when I view all ActionTypes/events.
What am I doing wrong?
Or is there something I'm missing, like this ActionType doesn't do what I think it does, or these alerts go to Windows Event viewer, etc.?
