Detect FileZilla SFTP Risks with KQL in Symantec Logs
This KQL query helps detect FileZilla SFTP activities flagged by Symantec Endpoint Protection where attacks were detected but not blocked. It summarizes unique alert counts over a chosen timeframe, highlighting user activity, local and remote IP addresses, traffic direction, and intrusion URLs. Monitoring these events is critical to identify potential security gaps where malicious SFTP traffic bypasses endpoint defenses.
Risk
The main risk addressed here is unblocked SFTP attacks via FileZilla that may allow unauthorized data transfers or infiltration. Although Symantec Endpoint Protection detects these events, failing to block them could lead to data breaches, lateral movement within the network, or persistence of attackers. Timely detection of these alerts ensures security teams can investigate and respond before compromise occurs.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: FileZilla SFTP Activity"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescriptionWhat this query does:
This query filters Symantec logs for agent security and risk events related to FileZilla SFTP activity where attacks were detected but not blocked. It aggregates the count of such events grouped by user and network parameters, providing a clear overview of potential risks.