List Malicious Scan Attempts Not Blocked by Symantec Endpoint Protection
Description
This KQL query lists all malicious scan attempt events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.
Risk
Explain what risk this detection tries to cover.
Query
Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Malicious Scan Attempt"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription