Edit

Host firewall reporting in Microsoft Defender for Endpoint

  • Article

Applies to:

If you're a Global or security administrator, you can now host firewall reporting to the Microsoft Defender portal. This feature enables you to view Windows firewall reporting from a centralized location.

What do you need to know before you begin?

  • You must be running Windows 10 or later, Windows Server 2012 R2 or later.

    Note

    For Windows2012 R2 and Windows Server 2016 to appear in Firewall reports, these devices must be onboarded using the modern unified solution package. For more information, see New functionality in the modern unified solution for Windows Server 2012 R2 and 2016.

  • To onboard devices to the Microsoft Defender for Endpoint service, see here.
  • For Microsoft Defender portal to start receiving the data, you must enable Audit Events for Windows Defender Firewall with Advanced Security:
  • Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see here.
    • The two PowerShell commands are:
      • auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable
      • auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable
param (
    [switch]$remediate
)
try {

    $categories = "Filtering Platform Packet Drop,Filtering Platform Connection"
    $current = auditpol /get /subcategory:"$($categories)" /r | ConvertFrom-Csv    
    if ($current."Inclusion Setting" -ne "failure") {
        if ($remediate.IsPresent) {
            Write-Host "Remediating. No Auditing Enabled. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})"
            $output = auditpol /set /subcategory:"$($categories)" /failure:enable
            if($output -eq "The command was successfully executed.") {
                Write-Host "$($output)"
                exit 0
            }
            else {
                Write-Host "$($output)"
                exit 1
            }
        }
        else {
            Write-Host "Remediation Needed. $($current | ForEach-Object {$_.Subcategory + ":" + $_.'Inclusion Setting' + ";"})."
            exit 1
        }
    }

}
catch {
    throw $_
}

The process

Note

Make sure to follow the instructions from the section above and properly configure your devices for the early preview participation.

  • After enabling the events, Microsoft Defender XDR will start to monitor the data, which includes:
    • Remote IP
    • Remote Port
    • Local Port
    • Local IP
    • Computer Name
    • Process across inbound and outbound connections
  • Admins can now see Windows host firewall activity here.
    • Additional reporting can be facilitated by downloading the Custom Reporting script to monitor the Windows Defender Firewall activities using Power BI.
    • It can take up to 12 hours before the data is reflected.

Supported scenarios

Firewall reporting

Here are some examples of the firewall report pages. Here you'll find a summary of inbound, outbound, and application activity. You can access this page directly by going to https://security.microsoft.com/firewall.

The Host firewall reporting page

These reports can also be accessed by going to Reports > Security Report > Devices (section) located at the bottom of the Firewall Blocked Inbound Connections card.

From "Computers with a blocked connection" to device

Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch the Microsoft Defender portal in a new tab, and take you directly to the Device Timeline tab.

The Computers with a blocked connection page

You can now select the Timeline tab, which will give you a list of events associated with that device.

After clicking on the Filters button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select Firewall events and the pane will be filtered to Firewall events.

The Filters button

Drill into advanced hunting (preview refresh)

Firewall reports support drilling from the card directly into Advanced Hunting by clicking the Open Advanced hunting button. The query will be pre-populated.

The Open Advanced hunting button

The query can now be executed, and all related Firewall events from the last 30 days can be explored.

For more reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the Custom Reporting script to monitor the Windows Defender Firewall activities using Power BI.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.