Windows – see a lot of incoming netbios activity on the Windows Firewall

NetBIOS is a network communication protocol that was designed over 30 years ago. WINS was developed to use this as an alternative to running a dedicated DNS service. A server would take the first 16 characters of it's name as it's NetBIOS name; when you create a new Active Directory name, one of the things you define is the domain's NetBIOS name.

Once it has its NetBIOS name, it then broadcasts that to everyone on its network. If none send a reject message saying it's already in use, then it broadcasts it again as a registration. This means every computer on that network would get register that computers NetBIOS name in it's local cache. You can see this by running nbtstat

PS C:\..\mklink>nbtstat -r
NetBIOS Names Resolution and Registration Statistics
----------------------------------------------------
Resolved By Broadcast     = 0
Resolved By Name Server   = 0
Registered By Broadcast   = 12
Registered By Name Server = 0

PS C:\..\mklink>nbtstat -n
Ethernet 2:
Node IpAddress: [10.212.134.72] Scope Id: []
            NetBIOS Local Name Table
   Name               Type         Status
---------------------------------------------
DESKTOP        <00>  UNIQUE      Registered
DOMAIN         <00>  GROUP       Registered

Since NetBIOS works on an anonymous broadcast and response, it is easy to use tools to discover the resources on the network. This led to disabling NetBIOS. This is disabled by blocking incoming requests at the firewall, it doesn't block outgoing which is why you'll still get your own registrations. NetBIOS protocol is used by other services still which is why it isn't disabled outright.

Short answer is NetBIOS is used by many services and is only blocked incoming at the firewall to prevent network discovery attacks.