Suspicious Directory Traversal Detection Using KQL in Symantec Logs
This article focuses on how to detect suspicious directory traversal activities that Symantec Endpoint Protection logs but fails to block, using a Kusto Query Language (KQL) script in Microsoft Sentinel. The query identifies general directory traversal events with an emphasis on attacks detected but not prevented, providing insight into potential threats that evade traditional endpoint defenses.
Risk
Directory traversal is a critical attack vector where malicious users manipulate file paths to access directories and files outside the intended scope. When Symantec Endpoint Protection detects but does not block such attacks, it indicates potential gaps in the security controls, allowing threat actors to explore sensitive system areas. This exposure can lead to unauthorized data access, privilege escalation, and ultimately system compromise.
Query
Microsoft Sentinel
SymantecEndpointProtection
| where LogType == "Agent Security Logs" or LogType == "Agent Risk Logs"
| where EventDescription contains "Audit: Generic Directory Traversal"
| where EventDescription contains "attack detected but not blocked"
| summarize Count=count() by UserName, LocalHostIpAddr, RemoteHostName, RemoteHostIpAddr, TrafficDirection, IntrusionUrl, EventDescriptionThis KQL script filters Symantec Endpoint Protection logs from Microsoft Sentinel to capture only those events categorized under “Agent Security Logs” or “Agent Risk Logs.” It focuses on entries with descriptions mentioning generic directory traversal audits that were detected but not blocked. The summary aggregates the number of occurrences by user and network identifiers, helping analysts pinpoint who and where these suspicious activities are happening.