Skip to content

Latest commit

 

History

History
32 lines (28 loc) · 718 Bytes

LocalFirewallAdditions.md

File metadata and controls

32 lines (28 loc) · 718 Bytes

List Local Firewall Additions

Query Information

Description

List Local Firewall Additions

Defender XDR

DeviceProcessEvents
| where ProcessCommandLine has "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     Timestamp,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

Sentinel

DeviceProcessEvents
| where ProcessCommandLine has "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     TimeGenerated,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine