Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURESymantec Endpoint Protection

List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint Protection

Wayne Andes 2 min read

Description

This KQL query lists all untrusted SSH file transfer protocol connection events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.

Query

Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Untrusted SSH File Transfer Protocol Connection"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription

References

You May Also Like

List Conditional Access Policy That Was Changed

Wayne Andes

Visualize Daily Incident Triggers

Wayne Andes

Detect Anomalous Amount of LDAP Traffic

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *