Forum Discussion

S-Zinroku's avatar
S-Zinroku
Copper Contributor
May 13, 2022

About monitoring user operations for apps that SmartScreen warned

Even if SmartScreen determines that the app is dangerous, if the operator determines that it is safe, the installation will continue. However, I would like to check the operation history at that tim...
yongrheemsft's avatar
yongrheemsft
Icon for Microsoft rankMicrosoft
Jun 08, 2022

S-Zinroku, a few method of fw'ing the event logs related to "Smartscreen".

Method 1) If you have an E5 license, you can use MDE's (security.microsoft.com) Advanced Hunting query to create a query for the Smartscreen Alerts.

 

or

 

Method 2)

Use Azure Monitor to collect the Event logs, in this case for Smartscreen.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

or
Method 3)
Use Windows Event Forwarding (WEF), on the WEC server, create a script to ingest the event log into a excel or powerBI or sql database.

I hope this helps.

Thanks,
Yong Rhee [MSFT]

P.S. Additionally, if you are using Microsoft Defender Antivirus (MDAV), and you have E3/A3 license, you are able to see the AV alerts and different reports. Please take a look here:
Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-plan-1-now-included-in-m365-e3/ba-p/3060639
Set up and configure Microsoft Defender for Endpoint Plan 1 | Microsoft Docs
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration?view=o365-worldwide#plan-your-deployment

Resources