KQL Search

Query Details

HomeAI ToolsDevice Query

Windows Outbound Firewall Blocks Filter By Device And Firewall Profile

Query

```kql
// Find outbound firewall blocks based on firewall profile
// Change "where FirewallProfile == "Public" to desired profile you want to search
// To find the profile type of "null" leave the quote marks empty, e.g., ""
// Adjust limit to dertermine result count
// Update DeviceName to filter to specific device
DeviceEvents
| where ActionType == "FirewallOutboundConnectionBlocked"
| where DeviceName == "devicename.domain.here"
| join kind=leftouter (
    DeviceNetworkInfo
    | mv-expand ParsedNetworks = parse_json(ConnectedNetworks)
    | extend NetworkCategory = tostring(ParsedNetworks.Category)
    | summarize Categories = make_set(NetworkCategory) by DeviceId, DeviceName
    | extend FirewallProfile = tostring(Categories[0])
) on DeviceId
| where FirewallProfile == "Domain"
| project Timestamp, DeviceName, FirewallProfile, RemoteIP, RemotePort, InitiatingProcessFileName
| sort by Timestamp desc
```

Explanation

This query is designed to identify and list outbound firewall blocks on a specific device, based on the firewall profile. Here's a simplified breakdown of what it does:

  1. Data Source: It starts by looking at events related to device activities, specifically those where an outbound connection was blocked by the firewall.

  2. Device Filter: It filters the results to focus on a specific device, which you need to specify by replacing "devicename.domain.here" with the actual device name you're interested in.

  3. Join with Network Info: The query joins this data with network information to determine the firewall profile associated with each event. It expands the connected networks data to extract the network category and summarizes these categories by device.

  4. Firewall Profile Filter: It filters the results to only include events where the firewall profile is "Domain". You can change this to another profile type if needed.

  5. Output: The query selects specific fields to display: the timestamp of the event, the device name, the firewall profile, the remote IP and port involved in the blocked connection, and the name of the process that initiated the connection.

  6. Sorting: Finally, it sorts the results by the timestamp in descending order, so the most recent events appear first.

You can adjust the device name, firewall profile, and the number of results to tailor the query to your specific needs.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 17, 2026

Tables

DeviceEventsDeviceNetworkInfo

Keywords

DeviceEventsDeviceNetworkInfoConnectedNetworksDeviceIdDeviceNameTimestampFirewallProfileRemoteIPRemotePortInitiatingProcessFileNameNetworkCategoryCategories

Operators

//|==joinkind=leftoutermv-expandparse_json()extendtostring()summarizemake_set()byprojectsort bydesc

Actions