cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender KQL query for Windows firewall status changes?

GI472
Brass Contributor

‎Sep 06 2023 08:03 PM

‎Sep 06 2023 08:03 PM

Defender KQL query for Windows firewall status changes?

Hi all,

 

I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert.

 

So far, I have this:

 

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "FirewallServiceStopped"
| sort by Timestamp
 
However, I tested this by turning off the Windows firewall on a server and there was no alert, not even an obvious entry in the device timeline when I view all ActionTypes/events.
 
What am I doing wrong?
 
Or is there something I'm missing, like this ActionType doesn't do what I think it does, or these alerts go to Windows Event viewer, etc.?

 

1,484 Views
0 Likes
4 Replies
Reply
4 Replies
m4rcin

‎Feb 14 2024 08:10 AM

‎Feb 14 2024 08:10 AM

Re: Defender KQL query for Windows firewall status changes?

Hi @GI472,
Were you able to find out good solution?
I would also like to know the answer to your question as it became mine.

The query looks ok.
I've tested it and I can find the device where the service was stopped. But the Firewall service on that device was active when I checked it with Get-NetFirewallProfile.
And I don't see any other ActionType reference which indicates turning on the firewall service.

Best
0 Likes
Reply
m4rcin

‎Feb 14 2024 11:44 AM

‎Feb 14 2024 11:44 AM

Re: Defender KQL query for Windows firewall status changes?

@GI472 
try this 

SecurityEvent
| where TimeGenerated > ago(30d)
| where Computer == "devicename"
| where EventID == "5037" or EventID == "5024"
//5037 -  The Windows Firewall Driver detected a critical runtime error.
//5024 - The Windows Firewall Service has started successfully.
| project TimeGenerated, EventID, Activity
0 Likes
Reply
GI472

‎Feb 16 2024 12:47 AM

‎Feb 16 2024 12:47 AM

Re: Defender KQL query for Windows firewall status changes?

Hi @m4rcin ,

 

Thanks for taking a look, but I should have been clearer. I don't have Sentinel, only Defender. I can use KQL, but I don't have a table called SecurityEvent to query. 

 

If I could quickly and easily get data from the EventViewer without having to logon to each machine that would be awesome, but I understand that you can no longer create a query in EventViewer and have it email you.

 

I'm guessing Defender just doesn't integrate closely enough to accurately tell when the Firewall is stopped/changed.

 

Probably because they want you to buy Sentinel!

0 Likes
Reply
cyb3rmik3

‎Apr 29 2024 07:11 AM

‎Apr 29 2024 07:11 AM

Re: Defender KQL query for Windows firewall status changes?

Hi @GI472,

 

Can you check if you get any DeviceRegistryEvents once you disable the firewall? I think there is a detection opportunity over there.

0 Likes
Reply