Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURESymantec Endpoint Protection

List FileZilla SFTP Activity Not Blocked By Symantec Endpoint Protection

Wayne Andes 2 min read

Description

This KQL query lists all FileZilla SFTP events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.

Risk

Explain what risk this detection tries to cover.

References

Query

Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: FileZilla SFTP Activity"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

References

You May Also Like

Detect Anomalous Group Policy Discovery

Wayne Andes

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Wayne Andes

Hunt For Newly Identified Lateral Movement Paths To Sensitive Accounts

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *