List P2P Torrent Traffic Not Blocked By Symantec Endpoint Protection

This Kusto Query Language (KQL) script identifies peer-to-peer (P2P) torrent traffic events that Symantec Endpoint Protection has detected but failed to block. By filtering security logs, it highlights unmitigated attack attempts and summarizes unique alerts, assisting security analysts in threat hunting and incident investigation.

Risk

Unblocked P2P torrent traffic poses significant security risks as it often bypasses traditional endpoint defenses. This traffic can facilitate unauthorized data sharing, malware distribution, and create network vulnerabilities. Monitoring these events is critical to strengthen security posture and prevent potential breaches.

Query

Microsoft Sentinel

SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: P2P Torrent Traffic"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

This query searches Symantec Endpoint Protection logs within Microsoft Sentinel, filtering for audit events specifically related to P2P torrent traffic where attacks were detected but not blocked. The summary aggregates the total counts grouped by user, IP addresses, traffic direction, and related intrusion details.

References

• Microsoft Sentinel Symantec Endpoint Protection Data Connector
• Azure Sentinel Symantec Endpoint Protection Analytic Rules on GitHub