List Website Connections Allowed by Symantec Endpoint Protection
This KQL query is designed to identify all connections made to potential or malicious websites that Symantec Endpoint Protection (SEP) detected but did not block. It provides a summary count of unique alerts based on user, IP addresses, and connection details within a specified time frame. This query helps security analysts monitor potentially risky connections that bypassed SEP’s blocking mechanisms, enabling proactive threat hunting and incident investigation using Microsoft Sentinel.
Risk
The main risk covered by this detection involves the possibility that suspicious or malicious website connections, while detected by SEP, were not blocked. Such allowed connections may indicate security gaps, misconfigurations, or emerging threats that could lead to data exfiltration, malware infection, or network compromise if left unmonitored. Detecting these connections early helps mitigate the risk of undetected intrusion or data leakage.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Connection to"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription