Query Details
Windows All Firewall Inbound Block Events Last 100
Query
```kql // Find All Windows Defender Firewall Inbound Blocks // Limited to 100 results, adjust as necessary DeviceEvents | where ActionType == "FirewallInboundConnectionBlocked" | sort by Timestamp | limit 100 ```
Explanation
This query is designed to retrieve a list of events where the Windows Defender Firewall has blocked inbound connections. It specifically looks for events where the action type is "FirewallInboundConnectionBlocked." The results are sorted by the time they occurred, and the query is limited to showing only the first 100 events. You can adjust the limit if you need more or fewer results.
Details
Nathan Hutchinson
Released: February 12, 2026
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeTimestamp
Operators
//|where==sort bylimit