From 31032b6cc302024d52b130f1a7bf1571ded162ea Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Fri, 6 Oct 2023 15:30:06 +0200 Subject: [PATCH 01/16] Update configure-the-windows-firewall-log.md Adding information on how to handle log file creation failures. This is a quite common issue with an easy solution. --- .../configure-the-windows-firewall-log.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 2912122082..87cb6b97d1 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -41,5 +41,34 @@ To complete these procedures, you must be a member of the Domain Administrators 6. Click **OK** twice. +### Troubleshooting if the log file is not created or written to + +Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. + +Verify if mpssvc has FullControl on the folder and the files. +Open an elevated PowerShell and use these commands. Make sure to use the correct path. + +``` +$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" +(Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize +``` +The output should show NT SERVICE\mpssvc having FullControl: +``` +IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags +----------------- ---------------- ----------------- ----------- ---------------- +NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit +BUILTIN\Administrators FullControl Allow False ObjectInherit +NT SERVICE\mpssvc FullControl Allow False ObjectInherit +``` +If not, add FullControl permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path. +``` +$LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" +$ACL = get-acl -Path $LogPath +$ACL.SetAccessRuleProtection($true, $false) +$RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow") +$ACL.AddAccessRule($RULE) +``` +Restart the Computer to restart the Windows Defender Firewall Service. + ### Troubleshooting Slow Log Ingestion If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. From aafa943dfc2e07eeafbeb3c1721250d6d6e791df Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 12:33:43 +0200 Subject: [PATCH 02/16] Update configure-the-windows-firewall-log.md Added a paragraph related to the folder creation issue. --- .../configure-the-windows-firewall-log.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 87cb6b97d1..5d7fd690df 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -43,7 +43,12 @@ To complete these procedures, you must be a member of the Domain Administrators ### Troubleshooting if the log file is not created or written to -Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. +Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. +If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. + +``` +New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall +``` Verify if mpssvc has FullControl on the folder and the files. Open an elevated PowerShell and use these commands. Make sure to use the correct path. @@ -70,5 +75,7 @@ $ACL.AddAccessRule($RULE) ``` Restart the Computer to restart the Windows Defender Firewall Service. + + ### Troubleshooting Slow Log Ingestion If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. From 2cf3cc7e1d9977df0fd4fdb13c782be88051f6fd Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:34:13 +0200 Subject: [PATCH 03/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 5d7fd690df..88935dbb98 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -41,7 +41,7 @@ To complete these procedures, you must be a member of the Domain Administrators 6. Click **OK** twice. -### Troubleshooting if the log file is not created or written to +### Troubleshooting if the log file is not created or modified Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. From f5f96e85787645e9ac79c2761595f49971e99248 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:34:27 +0200 Subject: [PATCH 04/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 88935dbb98..7f6679dd97 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -46,7 +46,7 @@ To complete these procedures, you must be a member of the Domain Administrators Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. -``` +```PowerShell New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall ``` From 78b2e60ccae970c42eae1e1e8bfbe4fd6cdec8b1 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:34:47 +0200 Subject: [PATCH 05/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 7f6679dd97..d875961d63 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -50,7 +50,7 @@ If firewall logging is configured via Group Policy only, it also can happen that New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall ``` -Verify if mpssvc has FullControl on the folder and the files. +Verify if MpsSvc has *FullControl* on the folder and the files. Open an elevated PowerShell and use these commands. Make sure to use the correct path. ``` From 164539542fd4585a42ef1bf8955903e1d367ed2c Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:35:04 +0200 Subject: [PATCH 06/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index d875961d63..0ade81bb0a 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -51,7 +51,7 @@ New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall ``` Verify if MpsSvc has *FullControl* on the folder and the files. -Open an elevated PowerShell and use these commands. Make sure to use the correct path. +From an elevated PowerShell session, use the following commands, ensuring to use the correct path: ``` $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" From b578e93ceedb6582dbba9f0a0fbf3cc99d9153c4 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:35:11 +0200 Subject: [PATCH 07/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 0ade81bb0a..1f55d3b115 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -53,7 +53,7 @@ New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall Verify if MpsSvc has *FullControl* on the folder and the files. From an elevated PowerShell session, use the following commands, ensuring to use the correct path: -``` +```PowerShell $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize ``` From ad72d997c3fd64ed604b1d8bfb51fd697703edbd Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:35:23 +0200 Subject: [PATCH 08/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 1f55d3b115..7e133b5be6 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -58,7 +58,7 @@ $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize ``` The output should show NT SERVICE\mpssvc having FullControl: -``` +```PowerShell IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags ----------------- ---------------- ----------------- ----------- ---------------- NT AUTHORITY\SYSTEM FullControl Allow False ObjectInherit From 84b9178eaf6fbbbf3d941e5aa1c18e3358b8f2d4 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:35:32 +0200 Subject: [PATCH 09/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 7e133b5be6..08afe5621e 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -66,7 +66,7 @@ BUILTIN\Administrators FullControl Allow False ObjectI NT SERVICE\mpssvc FullControl Allow False ObjectInherit ``` If not, add FullControl permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path. -``` +```PowerShell $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" $ACL = get-acl -Path $LogPath $ACL.SetAccessRuleProtection($true, $false) From 96fa42474b5aede18365240f7fca7e50c6c59f9f Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:35:48 +0200 Subject: [PATCH 10/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 08afe5621e..02ace74c40 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -57,7 +57,7 @@ From an elevated PowerShell session, use the following commands, ensuring to use $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize ``` -The output should show NT SERVICE\mpssvc having FullControl: +The output should show `NT SERVICE\mpssvc` having *FullControl*: ```PowerShell IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags ----------------- ---------------- ----------------- ----------- ---------------- From 7709fcf3b57727addbabc0236dc7772c965f2658 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Mon, 9 Oct 2023 15:36:01 +0200 Subject: [PATCH 11/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 02ace74c40..9abc0d4784 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -73,7 +73,7 @@ $ACL.SetAccessRuleProtection($true, $false) $RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow") $ACL.AddAccessRule($RULE) ``` -Restart the Computer to restart the Windows Defender Firewall Service. +Restart the device to restart the Windows Defender Firewall Service. From a1e5ab3d70a032aa8f5f992c04a0dcd20e156169 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 9 Oct 2023 10:01:55 -0400 Subject: [PATCH 12/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md --- .../windows-firewall/configure-the-windows-firewall-log.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 9abc0d4784..bb5da1d87c 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -43,7 +43,12 @@ To complete these procedures, you must be a member of the Domain Administrators ### Troubleshooting if the log file is not created or modified -Sometimes the log files are not created or no events are written the log files. This can be related to missing permissions for the Windows Defender Firewall Service (mpssvc) on the folder or the logfiles themselves. It can happen if you want to store the log files in a different folder or the permissions were removed or have not been set automatically. +Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition may occur include: + +- missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files +- you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically +- if firewall logging is configured via Group Policy only, it can happen that the log folder isn't created in the default location `%windir%\System32\LogFiles\firewall` +- if a custom path to a non-existent folder is configured via Group Policy. In this case, you must create the folder manually or via script, and add the permissions for MpsSvc If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. ```PowerShell From 8c46a4a0681bfaad5994095a66910d1f27a99835 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 9 Oct 2023 10:08:13 -0400 Subject: [PATCH 13/16] Update configure-the-windows-firewall-log.md --- .../configure-the-windows-firewall-log.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index bb5da1d87c..b6d0f091f4 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -41,14 +41,17 @@ To complete these procedures, you must be a member of the Domain Administrators 6. Click **OK** twice. -### Troubleshooting if the log file is not created or modified +### Troubleshoot if the log file is not created or modified Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition may occur include: - missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files - you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically -- if firewall logging is configured via Group Policy only, it can happen that the log folder isn't created in the default location `%windir%\System32\LogFiles\firewall` -- if a custom path to a non-existent folder is configured via Group Policy. In this case, you must create the folder manually or via script, and add the permissions for MpsSvc +- if firewall logging is configured via policy settings, it can happen that + - the log folder in the default location `%windir%\System32\LogFiles\firewall` doesn't exist + - the log folder in a custom path doesn't exist + In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc + If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. ```PowerShell @@ -62,7 +65,9 @@ From an elevated PowerShell session, use the following commands, ensuring to use $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" (Get-ACL -Path $LogPath).Access | Format-Table IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags -AutoSize ``` + The output should show `NT SERVICE\mpssvc` having *FullControl*: + ```PowerShell IdentityReference FileSystemRights AccessControlType IsInherited InheritanceFlags ----------------- ---------------- ----------------- ----------- ---------------- @@ -70,7 +75,9 @@ NT AUTHORITY\SYSTEM FullControl Allow False ObjectI BUILTIN\Administrators FullControl Allow False ObjectInherit NT SERVICE\mpssvc FullControl Allow False ObjectInherit ``` -If not, add FullControl permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path. + +If not, add *FullControl* permissions for mpssvc to the folder, subfolders and files. Make sure to use the correct path. + ```PowerShell $LogPath = Join-Path -path $env:windir -ChildPath "System32\LogFiles\Firewall" $ACL = get-acl -Path $LogPath @@ -78,9 +85,9 @@ $ACL.SetAccessRuleProtection($true, $false) $RULE = New-Object System.Security.AccessControl.FileSystemAccessRule ("NT SERVICE\mpssvc","FullControl","ContainerInherit,ObjectInherit","None","Allow") $ACL.AddAccessRule($RULE) ``` + Restart the device to restart the Windows Defender Firewall Service. +### Troubleshoot Slow Log Ingestion - -### Troubleshooting Slow Log Ingestion If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. From 1ecd193386af9e7d5ceade788ebdf4393bbed5c0 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 9 Oct 2023 10:23:34 -0500 Subject: [PATCH 14/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index b6d0f091f4..daa952247d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -52,7 +52,7 @@ Sometimes the Windows Firewall log files aren't created, or the events aren't wr - the log folder in a custom path doesn't exist In both cases, you must create the folder manually or via script, and add the permissions for MpsSvc -If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existant folder is configered via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. +If firewall logging is configured via Group Policy only, it also can happen that the `firewall` folder is not created in the default location `%windir%\System32\LogFiles\`. The same can happen if a custom path to a non-existent folder is configured via Group Policy. In this case, create the folder manually or via script and add the permissions for MPSSVC. ```PowerShell New-Item -ItemType Directory -Path $env:windir\System32\LogFiles\Firewall From 9131ec75f49abafee75aaba363ff8dad2ddee5db Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 9 Oct 2023 10:26:13 -0500 Subject: [PATCH 15/16] Update windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md --- .../windows-firewall/configure-the-windows-firewall-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index daa952247d..49182f30f0 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -43,7 +43,7 @@ To complete these procedures, you must be a member of the Domain Administrators ### Troubleshoot if the log file is not created or modified -Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition may occur include: +Sometimes the Windows Firewall log files aren't created, or the events aren't written to the log files. Some examples when this condition might occur include: - missing permissions for the Windows Defender Firewall Service (MpsSvc) on the folder or on the log files - you want to store the log files in a different folder and the permissions were removed, or haven't been set automatically From d1a29a220b00f0bfe67720917946ed9d0cfd765b Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Mon, 9 Oct 2023 10:39:07 -0500 Subject: [PATCH 16/16] Update configure-the-windows-firewall-log.md --- .../configure-the-windows-firewall-log.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md index 49182f30f0..e60bc7b3ec 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md @@ -29,17 +29,18 @@ To complete these procedures, you must be a member of the Domain Administrators 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. - >**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file. + > [!IMPORTANT] + > The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file. - 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. + 5. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. - 5. No logging occurs until you set one of following two options: + 6. No logging occurs until you set one of following two options: - To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**. - To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**. - 6. Click **OK** twice. + 7. Click **OK** twice. ### Troubleshoot if the log file is not created or modified