KQL to Detect Suspicious Process Website Access Not Blocked by Symantec

Description

Using the power of KQL and Microsoft Sentinel, this detection script identifies events where a suspicious process attempted to access a website but was not blocked by Symantec Endpoint Protection. The query filters relevant logs to surface potential risks and summarize the number of unique alerts per host and user for a specified time range.

Risk

Symantec may flag a suspicious process attempting to access a malicious site but not necessarily block it, especially during audit or learning modes. These events may go unnoticed if not actively monitored, posing a significant threat by allowing potential command-and-control communications or data exfiltration to occur without active intervention. Detecting these unblocked access attempts is crucial for identifying gaps in endpoint protection coverage.

Query

Microsoft Sentinel

SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Suspicious Process Accessing"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

This query zeroes in on events from Symantec Endpoint Protection where a suspicious process was flagged but not stopped. It filters for relevant audit entries and aggregates the count of such events per user and host, giving defenders a clear map of where endpoint protection hesitated—and where you shouldn’t.

References

• Azure Sentinel GitHub – Symantec Analytics
• Microsoft Sentinel Symantec Data Connector