EXPLORE
Sign In
← Back to Explore
kqlHunting

List Local Firewall Additions

List Local Firewall Additions

Detection Query

DeviceProcessEvents
| where ProcessCommandLine has "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     Timestamp,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

Data Sources

DeviceProcessEvents

Platforms

windowsazure-sentinelmicrosoft-defender

Tags

defender-for-endpoint
Raw Content
# List Local Firewall Additions

## Query Information

#### Description
List Local Firewall Additions

## Defender XDR
```KQL
DeviceProcessEvents
| where ProcessCommandLine has "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     Timestamp,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine
```

## Sentinel
```KQL
DeviceProcessEvents
| where ProcessCommandLine has "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     TimeGenerated,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine
```