Tag Archive: Firewall

Defender Firewall report in Microsoft 365 Defender

One challenge with configuring Windows firewall (besides default of block inbound and allow outbound) is that we need the data. Before Defender for Endpoint we had to rely on event forward and similar techniques to get the data of the environment.

Microsoft has recently released a Defender Firewall (Windows Firewall) report where we can see the events. This has some prerequisites in terms of audit settings (Windows audit settings, not the firewall log)

Configure firewall auditing

Enable auditing for Filtering platform

Always verify eventual impact in your environment before enabling new settings on all endpoints

To get the data, it requires the device to be onboarded to MDE

Command line to enable auditing

  • auditpol /set /subcategory:”Filtering Platform Packet Drop” /failure:enable
  • auditpol /set /subcategory:”Filtering Platform Connection” /failure:enable

For further reading about filtering platform auditing, please visit:
Audit Filtering Platform Connection (Windows 10) | Microsoft Learn
Audit Filtering Platform Packet Drop (Windows 10) | Microsoft Learn

When the settings are completed, you will see data populate at

https://security.microsoft.com/firewall

You will be able to see inbound, outbound and apps in the report on a very detailed level which will make it easier to harden the policy.

Hunting for Firewall events

The firewall events are located in the DeviceEvents table
DeviceEvents
| where ActionType startswith "Firewall"

Happy Hunting