List Website Connections Allowed by Symantec Endpoint Protection
Description
This KQL query lists all connections to potential and malicious websites events that Symantec Endpoint Protection detected but did not block and a summary count of unique alerts for a given time frame.
Risk
Explain what risk this detection tries to cover.
Query
Microsoft Sentinel
Kusto
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Connection to"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescription