One challenge with configuring Windows firewall (besides default of block inbound and allow outbound) is that we need the data. Before Defender for Endpoint we had to rely on event forward and similar techniques to get the data of the environment.
Microsoft has recently released a Defender Firewall (Windows Firewall) report where we can see the events. This has some prerequisites in terms of audit settings (Windows audit settings, not the firewall log)
Configure firewall auditing
Enable auditing for Filtering platform
Always verify eventual impact in your environment before enabling new settings on all endpoints
To get the data, it requires the device to be onboarded to MDE
Command line to enable auditing
- auditpol /set /subcategory:”Filtering Platform Packet Drop” /failure:enable
- auditpol /set /subcategory:”Filtering Platform Connection” /failure:enable
For further reading about filtering platform auditing, please visit:
Audit Filtering Platform Connection (Windows 10) | Microsoft Learn
Audit Filtering Platform Packet Drop (Windows 10) | Microsoft Learn
When the settings are completed, you will see data populate at
You will be able to see inbound, outbound and apps in the report on a very detailed level which will make it easier to harden the policy.
Hunting for Firewall events
DeviceEvents | where ActionType startswith "Firewall"