Detect Malicious Scan Attempts Using KQL in Symantec Endpoint Protection Logs

This KQL query identifies malicious scan attempts detected but not blocked by Symantec Endpoint Protection (SEP) by filtering relevant security and risk logs. It summarizes unique alerts by username, IP addresses, and other key attributes within a specific time frame, helping analysts pinpoint potential threats that bypassed initial SEP defenses. Using KQL with Microsoft Sentinel allows fast querying of large log datasets, essential for proactive cybersecurity monitoring.

Risk

Malicious scan attempts that SEP detects but fails to block represent a significant security risk. These attempts could be precursors to more severe intrusions or data exfiltration efforts. If left unnoticed, attackers may leverage these scans to identify vulnerabilities, bypass defenses, and compromise network integrity. Monitoring unblocked malicious scans ensures timely detection and response to emerging threats.

Query

Microsoft Sentinel

SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Malicious Scan Attempt"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

Query Breakdown:

• Filters logs to include only Agent Security and Risk Logs from Symantec.
• Narrows events to those mentioning malicious scan attempts and detected-but-not-blocked attacks.
• Summarizes the data by key identifiers: user, local and remote IPs, traffic direction, and URLs involved.
• Outputs a count of unique alerts per grouping, providing a clear picture of potentially risky activity.

References

• Microsoft Sentinel: Symantec Endpoint Protection Data Connector
• Azure Sentinel GitHub: Symantec Endpoint Protection Analytic Rules