Query Details
Local Firewall Deletions
Query
# Hunt for Local Firewall Deletions
----
### Defender For Endpoint
```
DeviceProcessEvents
| where ProcessCommandLine contains "firewall delete"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
Timestamp,
DeviceName,
AccountName,
ProcessCommandLine,
InitiatingProcessCommandLine
```
### Sentinel
```
DeviceProcessEvents
| where ProcessCommandLine contains "firewall delete"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
TimeGenerated,
DeviceName,
AccountName,
ProcessCommandLine,
InitiatingProcessCommandLine
```
Explanation
This query is searching for events related to local firewall deletions. It looks for processes with a command line that contains the phrase "firewall delete" and excludes events related to the Microsoft Defender for Endpoint sensor. The query then retrieves specific fields such as the timestamp, device name, account name, process command line, and initiating process command line. The same query is written for both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,InitiatingProcessFileName,Timestamp,DeviceName,AccountName,InitiatingProcessCommandLine,TimeGenerated
Operators
wherecontains!=project-reorder