Hunt for Local Firewall Deletions

Defender For Endpoint

DeviceProcessEvents
| where ProcessCommandLine contains "firewall delete"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     Timestamp,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

Sentinel

DeviceProcessEvents
| where ProcessCommandLine contains "firewall delete"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.Updater.exe" // DFI sensor
| project-reorder
     TimeGenerated,
     DeviceName,
     AccountName,
     ProcessCommandLine,
     InitiatingProcessCommandLine

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LocalFirewallDeletions.md

LocalFirewallDeletions.md

Hunt for Local Firewall Deletions

Defender For Endpoint

Sentinel

Files

LocalFirewallDeletions.md

Latest commit

History

LocalFirewallDeletions.md

File metadata and controls

Hunt for Local Firewall Deletions

Defender For Endpoint

Sentinel