KQL Search

Query Details

Windows Outbound Firewall Blocks Filtered By Firewall Profile

Query

```kql
// Find outbound firewall blocks based on firewall profile
// Change "where FirewallProfile == "Public" to desired profile you want to search
// To find the profile type of "null" leave the quote marks empty, e.g., ""
// Adjust limit to dertermine result count
DeviceEvents
| where ActionType == "FirewallOutboundConnectionBlocked"
| join kind=leftouter (
    DeviceNetworkInfo
    | mv-expand ParsedNetworks = parse_json(ConnectedNetworks)
    | extend NetworkCategory = tostring(ParsedNetworks.Category)
    | summarize Categories = make_set(NetworkCategory) by DeviceId, DeviceName
    | extend FirewallProfile = tostring(Categories[0])
) on DeviceId
| where FirewallProfile == "Public"
| project Timestamp, DeviceName, FirewallProfile, RemoteIP, RemotePort, InitiatingProcessFileName
| sort by Timestamp desc
```

Explanation

This query is designed to identify instances where outbound connections are blocked by a firewall, specifically focusing on a particular firewall profile. Here's a simplified breakdown:

  1. Filter for Blocked Connections: The query starts by looking at device events where the action type indicates that an outbound connection was blocked by the firewall.

  2. Join with Network Information: It then combines this data with network information from devices. This involves expanding the connected networks data to extract the network category for each device.

  3. Determine Firewall Profile: For each device, it summarizes the network categories and determines the firewall profile being used. The first category in the list is assumed to be the firewall profile.

  4. Filter by Desired Profile: The query specifically filters for devices using the "Public" firewall profile. You can change this to another profile by modifying the query.

  5. Select Relevant Information: It selects and displays specific details about each blocked connection, including the timestamp, device name, firewall profile, remote IP address, remote port, and the name of the process that initiated the connection.

  6. Sort Results: Finally, it sorts the results by timestamp in descending order, showing the most recent events first.

You can adjust the profile filter and the number of results returned by modifying the query as needed.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 17, 2026

Tables

DeviceEventsDeviceNetworkInfo

Keywords

DeviceEventsDeviceNetworkInfoDeviceIdDeviceNameFirewallProfileRemoteIPRemotePortInitiatingProcessFileNameTimestampNetworkCategoryCategoriesActionTypeParsedNetworksConnectedNetworks

Operators

//DeviceEvents|where=="FirewallOutboundConnectionBlocked"|joinkind=leftouter(DeviceNetworkInfo|mv-expandParsedNetworks=parse_json(ConnectedNetworks)|extendNetworkCategory=tostring(ParsedNetworks.Category)|summarizeCategories=make_set(NetworkCategory)byDeviceIdDeviceName|extendFirewallProfile=tostring(Categories[0]))onDeviceId|where=="Public"|projectTimestampDeviceNameFirewallProfileRemoteIPRemotePortInitiatingProcessFileName|sortbydesc

Actions