List P2P Torrent Traffic Not Blocked By Symantec Endpoint Protection
Description
This KQL query lists all P2P torrent traffic events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.
Query
Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: P2P Torrent Traffic"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription