Query Details
Windows Summarise Firewall Outbound Blocks By Firewall Profile
Query
```kql
DeviceEvents
| where ActionType == "FirewallOutboundConnectionBlocked"
| join kind=leftouter (
DeviceNetworkInfo
| mv-expand ParsedNetworks = parse_json(ConnectedNetworks)
| extend NetworkCategory = tostring(ParsedNetworks.Category)
| summarize Categories = make_set(NetworkCategory) by DeviceId
| extend FirewallProfile = tostring(Categories[0])
) on DeviceId
| summarize
BlockCount = count(),
Devices = dcount(DeviceName),
UniqueDestinations = dcount(RemoteIP)
by FirewallProfile
| sort by BlockCount desc
```
Explanation
This query is analyzing firewall events to understand how often outbound connections are being blocked on devices, and it categorizes these blocks based on the network profile of the devices. Here's a simplified breakdown:
-
Filter Events: It starts by selecting events where outbound connections were blocked by the firewall.
-
Join Network Info: It then joins this data with network information for each device to determine the network category (like "Public" or "Private") of the connected networks.
-
Summarize Data: For each network category, it calculates:
- The total number of blocked connections (
BlockCount). - The number of unique devices that experienced these blocks (
Devices). - The number of unique remote IP addresses that were blocked (
UniqueDestinations).
- The total number of blocked connections (
-
Sort Results: Finally, it sorts the results by the number of blocked connections in descending order, showing which network profiles have the most blocks.
In essence, the query provides insights into how network category affects the frequency of outbound connection blocks by the firewall.
Details
Nathan Hutchinson
Released: February 17, 2026
Tables
Keywords
Operators