Query Details
Windows Inbound Firewall Blocks By Process
Query
```kql // Find Windows Defender Firewall Inbound Blocks (per process) // Replace spotify.exe with required process file name // Limited to 100 results, adjust as necessary DeviceEvents | where ActionType == "FirewallInboundConnectionBlocked" | where InitiatingProcessFileName =~ "spotify.exe" | sort by Timestamp desc | limit 100 ```
Explanation
This query is designed to search for instances where the Windows Defender Firewall has blocked inbound connections for a specific process, in this case, "spotify.exe". It looks through the DeviceEvents data to find these block events. The query filters the results to only include events where the action type is "FirewallInboundConnectionBlocked" and the process involved is "spotify.exe". The results are then sorted by the time they occurred, showing the most recent events first. Finally, the query limits the output to the 100 most recent events, but this limit can be adjusted if needed.
Details
Nathan Hutchinson
Released: February 12, 2026
Tables
DeviceEvents
Keywords
DeviceEventsActionTypeInitiatingProcessFileNameTimestamp
Operators
//|where===~sort bydesclimit