Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| WinEventLog:Security | EventCode=4688 | |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7036 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| WinEventLog:Security | EventCode=5156, 5157 |
| Field | Description |
|---|---|
| AuthorizedAdminAccounts | Known administrators allowed to manage host firewall settings |
| MaintenanceWindow | Approved change windows where firewall modifications are expected |
| ExposureCorrelationWindow | Time window to correlate firewall change with new connections/listeners |
| SensitivePorts | Ports of concern such as RDP, SMB, WinRM, SSH, custom admin ports |
| AllowedManagementParents | Expected parent processes such as SCCM, Intune agent, GPO client |
| RuleScopeThreshold | Detect widening from subnet/local scope to Any/0.0.0.0/0 |