Sep 06 2023 08:03 PM
Hi all,
I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.
So far, I have this:
Feb 14 2024 08:10 AM
Feb 14 2024 11:44 AM
@GI472
try this
SecurityEvent
| where TimeGenerated > ago(30d)
| where Computer == "devicename"
| where EventID == "5037" or EventID == "5024"
//5037 - The Windows Firewall Driver detected a critical runtime error.
//5024 - The Windows Firewall Service has started successfully.
| project TimeGenerated, EventID, Activity
Feb 16 2024 12:47 AM
Hi @m4rcin ,
Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query.
If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you.
I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed.
Probably because they want you to buy Sentinel!
Apr 29 2024 07:11 AM
Hi @GI472,
Can you check if you get any DeviceRegistryEvents once you disable the firewall? I think there is a detection opportunity over there.