Adversaries may leverage Windows filtering events to bypass firewall rules and establish unauthorized network connections. SOC teams should proactively hunt for this behavior to identify potential evasion tactics and detect stealthy network activity in their Azure Sentinel environment.
KQL Query
DeviceEvents
| where ActionType in ("FirewallOutboundConnectionBlocked", "FirewallInboundConnectionBlocked", "FirewallInboundConnectionToAppBlocked")
| project DeviceId , Timestamp , InitiatingProcessFileName , InitiatingProcessParentFileName, RemoteIP, RemotePort, LocalIP, LocalPort
| summarize MachineCount=dcount(DeviceId) by RemoteIP
| top 100 by MachineCount desc
id: fb02b8f1-1eb9-43f9-b6e6-cca78a323f2b
name: Windows filtering events (Firewall)
description: |
Get all filtering events done by the Windows filtering platform.
This includes any blocks done by Windows Firewall rules, but also blocks triggered by some 3rd party firewalls.
When no Firewall rules are configured, the default behavior is to block all incoming network connections.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where ActionType in ("FirewallOutboundConnectionBlocked", "FirewallInboundConnectionBlocked", "FirewallInboundConnectionToAppBlocked")
| project DeviceId , Timestamp , InitiatingProcessFileName , InitiatingProcessParentFileName, RemoteIP, RemotePort, LocalIP, LocalPort
| summarize MachineCount=dcount(DeviceId) by RemoteIP
| top 100 by MachineCount desc
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: A system administrator is configuring a new Windows Firewall rule using the Windows Firewall with Advanced Security console.
Filter/Exclusion: Exclude events where the source is Local Security Policy or Windows Firewall with Advanced Security (specific event IDs or process names like firewall.msc or svchost.exe with known firewall-related services).
Scenario: A scheduled task is running a script that temporarily blocks outbound traffic to update software or patch systems.
Filter/Exclusion: Exclude events where the source is a known scheduled task (e.g., UpdateOrchestrator or WindowsUpdate) or where the destination port is associated with known update services (e.g., port 80, 443, 8080).
Scenario: A third-party firewall (e.g., Cisco ASA, Palo Alto Networks, or Check Point) is blocking traffic as part of its normal operation.
Filter/Exclusion: Exclude events where the source is a third-party firewall service (e.g., ciscoasa.exe, paloalto.exe, or checkpoint.exe) or where the event is logged by a non-Windows filtering platform.
Scenario: A remote desktop session is being blocked by the Windows Firewall due to the session being established from an external IP.
Filter/Exclusion: Exclude events where the source IP is from a known remote access IP range (e.g., public IP ranges used by remote desktop services) or where the destination port is 3389 (RDP).
Scenario: A system update or patching tool (e.g., Windows Update, Microsoft Endpoint Configuration Manager) is temporarily blocking traffic to install updates.
Filter/Exclusion: Exclude events where the source is a known update tool (e.g., `wua