KQL Search

Query Details

Windows Windows Firewall Outbound Blocked Connections

Query

```kql
DeviceEvents
| where ActionType == "FirewallOutboundConnectionBlocked"
| join kind=leftouter (
    DeviceNetworkInfo
    | mv-expand ParsedNetworks = parse_json(ConnectedNetworks)
    | extend NetworkCategory = tostring(ParsedNetworks.Category)
    | summarize Categories = make_set(NetworkCategory) by DeviceId, DeviceName
    | extend FirewallProfile = tostring(Categories[0])
) on DeviceId
| project Timestamp, DeviceName, FirewallProfile, RemoteIP, RemotePort, InitiatingProcessFileName
| sort by Timestamp desc
| limit 100
```

Explanation

This KQL query is designed to analyze and display information about outbound connections that were blocked by the firewall on various devices. Here's a simplified breakdown of what the query does:

  1. Filter Events: It starts by filtering the DeviceEvents table to only include events where the ActionType is "FirewallOutboundConnectionBlocked". This means it focuses on instances where the firewall has blocked an outbound connection attempt.

  2. Join with Network Info: It performs a left outer join with the DeviceNetworkInfo table to enrich the data. This involves:

    • Expanding the ConnectedNetworks field to parse JSON data and extract the network category.
    • Summarizing the network categories for each device by creating a set of categories and associating it with the device's ID and name.
    • Extending the data to include the first network category as the FirewallProfile.

  3. Select and Display Data: The query then selects specific columns to display: Timestamp, DeviceName, FirewallProfile, RemoteIP, RemotePort, and InitiatingProcessFileName.

  4. Sort and Limit Results: Finally, it sorts the results by Timestamp in descending order to show the most recent events first and limits the output to the top 100 entries.

In summary, this query provides a list of the 100 most recent outbound connection attempts that were blocked by the firewall, along with details about the device, network profile, and connection specifics.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 17, 2026

Tables

DeviceEventsDeviceNetworkInfo

Keywords

DeviceEventsDeviceNetworkInfoConnectedNetworksDeviceIdDeviceNameTimestampFirewallProfileRemoteIPRemotePortInitiatingProcessFileName

Operators

wherejoinmv-expandparse_jsonextendtostringsummarizemake_setprojectsortlimit

Actions