Detect Adware Events Using KQL in Symantec Endpoint Protection Logs
This KQL query extracts adware-related security events from Symantec Endpoint Protection (SEP) logs, focusing on instances where adware was detected but not blocked. It summarizes unique alert counts by key parameters like user, IP addresses, traffic direction, and intrusion URLs within a specified time frame. Using this query helps cybersecurity professionals identify potential gaps in endpoint defense and take timely actions to mitigate risk.
Risk
Adware that escapes detection and blocking by Symantec Endpoint Protection can compromise endpoint integrity, leading to unwanted software installation, privacy violations, and system performance degradation. Unblocked adware events can serve as gateways for further malware infections or data exfiltration, posing a significant risk to organizational security. Continuous monitoring using KQL queries ensures early detection and remediation of such threats.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Adware"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescriptionWhat this KQL does:
This query filters Symantec Endpoint Protection logs to retrieve events flagged as “Audit: Adware” with the specific note that the attack was detected but not blocked. It then groups and counts the events by username, local and remote IP addresses, traffic direction, and intrusion URLs for better context and analysis.