Getting Windows Events

Copper Contributor

Hi folks,


I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on  a vm.

The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS :) reference below   


My questions:

1- How to hunt for 2004 events ?

2- if we install sysmon on the vm, how to push these events to Azure Sentinel ? 


btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case.




2 Replies

I have add the firewall path from Advanced settings, but still the events are not flowing.


best response confirmed by nafejeries (Copper Contributor)

@nafejeries Based on my testing you are definitely looking at the correct log source.   How long have you waited to see if the data shows up?


Update:  I added that same log to my Windows Events, created a new Firewall rule, and I did see the value show up in the Event Table