List Untrusted SSH File Transfer Protocol Connection Not Blocked By Symantec Endpoint Protection
Detecting untrusted SSH file transfer protocol connection events can help cybersecurity teams identify potential security gaps within Symantec Endpoint Protection. This KQL query focuses on untrusted SSH connections that were detected but not blocked, providing a comprehensive overview of user activity, IP addresses, and the nature of the event. Using this detection method assists in monitoring and responding to risky SSH file transfers, improving incident response efficiency.
Risk
Untrusted SSH file transfer protocol connections that are detected but not blocked pose a significant risk. These connections might allow unauthorized data exfiltration or malicious payload delivery under the radar of existing endpoint protections. Without proper detection and remediation, attackers could exploit these pathways to compromise sensitive systems, making it critical to monitor and investigate such events promptly.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Untrusted SSH File Transfer Protocol Connection"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescriptionThis KQL script filters Symantec Endpoint Protection logs to identify untrusted SSH file transfer protocol connection events flagged as attacks but not blocked by the system. It aggregates the results by relevant user and network identifiers, giving a clear summary of unique alerts and their context within a given timeframe.