I think I found my answer in this post: Set firewall rules for windows 10 update - #12 by icequbes1
Replace the rule with handle 14 to add logging and a counter:
nft replace rule qubes-firewall qbs-10-138-26-180 handle 14 counter log prefix \"[qubes-firewall-BLOCKED] \" reject with icmp type admin-prohibited
My remaining question is whats the best way to automate that. When qubes-firewall creates a chain, I want to run a “post hook” script that configures this chain to not reject with admin-prohibited but to log & drop.