List Generic Directory Traversal Not Blocked By Symantec Endpoint Protection
Description
This KQL query lists all suspicious general directory traversal events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.
Risk
Explain what risk this detection tries to cover.
Query
Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Generic Directory Traversal"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription