The Windows Firewall is a security component to help protect your computer from network risks. It comes equipped with inbound and outbound rule configurations. This guide will show how you'll be able to see the firewall profile settings, rules, and if enabled, parse the log file.
You must have XDR enabled in your environment.
This is intended for Windows only on Live Discovery.
--Domain Profile Information WITH domain (domainProfileStatus, domainDropLog, domainSuccesLog) AS ( SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END, CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' AND name = 'LogDroppedPackets') AS TEXT), CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging' AND name = 'LogSuccessfulConnections') AS TEXT) FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' AND name = 'EnableFirewall'), --Public Profile Information public (publicProfileStatus, publicDropLog, publicSuccessLog) AS ( SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END, CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' AND name = 'LogDroppedPackets') AS TEXT), CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging' AND name = 'LogSuccessfulConnections') AS TEXT) FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' AND name = 'EnableFirewall'), --Private Profile Information private (privateProfileStatus, privateDropLog, privateSuccessLog) AS ( SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END, CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' AND name = 'LogDroppedPackets') AS TEXT), CAST((SELECT CASE WHEN data = 1 THEN 'Enabled' ELSE 'Disabled' END FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging' AND name = 'LogSuccessfulConnections') AS TEXT) FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile' AND name = 'EnableFirewall') --Merge Firewall Information SELECT * FROM domain JOIN public JOIN private
--FirewallRules WITH firewallRules AS ( SELECT name, data, datetime(mtime, 'unixepoch', 'localtime') AS modifiedTimeStamp FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules'), firewallRulesDetails (name, version, action, isActive, direction, description) AS ( SELECT name, SPLIT(data,'|',0), REPLACE(SPLIT(data,'|',1),'Action=',''), REPLACE(SPLIT(data,'|',2),'Active=',''), REPLACE(SPLIT(data,'|',3),'Dir=',''), REPLACE(substring(data,38,(length(data))),'|',' ') FROM firewallRules WHERE data != '') SELECT name, action, isActive, direction, description FROM firewallRulesDetails WHERE isActive = 'TRUE' AND direction = 'In' ORDER BY name ASC
In this query, it returns all of the firewall rules, but this can be rather time consuming to parse. You could search on specifics within the description field. Add the following snippet below after line 14 in the query.
AND description LIKE '%LPort=3389%'
You can use any of the description contents. It is important to use the format exactly as shown in '%LPort=3389%'. The examples could be
DISCLAIMER: WINDOWS FIREWALL LOGGING IS DISABLED BY DEFAULT
This query uses a variable. You will create a variable type string for the variable name YYYY-MM-DD
--Read Log Files WITH firewallLogs AS( SELECT * FROM grep WHERE path = 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' AND pattern = '$$YYYY-MM-DD$$'), --Parse Log File Line by Line firewallLogsDetail (date, time, action, protocol, srcIP, dstIP, srcPort, dstPort, size, tcpFlags, tcpSyn, tcpPack, tcpWin, icmpType, icmpcode, info, path, pid) AS ( SELECT SPLIT(line, ' ', 0), CAST(SPLIT(line, ' ', 1) AS VARCHAR), SPLIT(line, ' ', 2), SPLIT(line, ' ', 3), SPLIT(line, ' ', 4), SPLIT(line, ' ', 5), SPLIT(line, ' ', 6), SPLIT(line, ' ', 7), SPLIT(line, ' ', 8), SPLIT(line, ' ', 9), SPLIT(line, ' ', 10), SPLIT(line, ' ', 11), SPLIT(line, ' ', 12), SPLIT(line, ' ', 13), SPLIT(line, ' ', 14), SPLIT(line, ' ', 15), SPLIT(line, ' ', 16), SPLIT(line, ' ', 17) FROM firewallLogs) --Collect Details in Readable Order SELECT date, time, pid, action, protocol, srcIP, srcPort, dstIP, dstPort, size, tcpFlags, tcpSyn, tcpPack, tcpWin, icmpType, icmpcode, info, path FROM firewallLogsDetail ORDER BY time ASC
You may want to broaden the scope on returning logs. The variable could be switched from YYYY-MM-DD to YYYY-MM. It will return more data and could possibly fail depending on how big the file is. The watchdog timer will not allow the agent to abuse the system resources.
In addition, adding more constraints will return more precise logs. Much like query two, you can add something like the following examples:
The more constraints, the less data returned, and precise the answer.
Happy querying!
-jk