Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURESymantec Endpoint Protection

List Suspicious Process Accessing A Website Not Blocked By Symantec Endpoint Protection

Wayne Andes 2 min read

Description

This query lists all suspicious process accessing a website events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.

Query

Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Suspicious Process Accessing"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

References

You May Also Like

List Suspicious File Found By VMware Carbon Black App Control

Wayne Andes

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Wayne Andes

List Total Successful Sign-Ins By Operating System

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *