KQL Search

Query Details

Local Firewall Additions

Query

# Hunt for Local Firewall Additions
----
### Defender For Endpoint

```
DeviceProcessEvents
| where ProcessCommandLine contains "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     Timestamp,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

```
### Sentinel
```
DeviceProcessEvents
| where ProcessCommandLine contains "firewall add"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     TimeGenerated,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

```

Explanation

The query is searching for local firewall additions in both Defender for Endpoint and Sentinel. It filters the DeviceProcessEvents table to only include events where the ProcessCommandLine contains the phrase "firewall add" and the InitiatingProcessFileName is not "Microsoft.Tri.Sensor.Updater.exe". The query then reorders and selects specific columns to display in the results.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,ProcessCommandLine,InitiatingProcessFileName,Timestamp,DeviceName,AccountName,InitiatingProcessCommandLine,TimeGenerated

Operators

wherecontains!=project-reorder

KQL Search

Local Firewall Additions

Query

Explanation

Details

Actions