Forum Discussion
Advanced Hunting for SmartScreen events
Recently I've been working on some Advanced Hunting queries for Web Content Filtering. This data is easy to find for third party browsers such as Chrome or Firefox assuming Network Protection is turned on. Simply query DeviceEvents | Where ActionType == 'ExploitGuardNetworkProtectionBlocked'. However, Edge does not use Network Protection to block sites based on Web Content Filtering. It utilizes SmartScreen. As such I would expect that these events would be under the 'SmartScreenUrlWarning' ActionType. However, this doesn't return any data. In fact, I've found that none of the SmartScreen related ActionTypes return any data. I've confirmed that SmartScreen is enabled and functional with the tools on demo.wd.com. Has anyone been able to successfully query SmartScreen data through Advanced Hunting?
3 Replies
I'm not sure if I can help but this doesn't work for you
https://security.microsoft.com/webcontentfilteringcategoriesdetailspage?viewid=webCategories
Obviously the data has come from somewhere. You obviously have to turn it on in MSDE
Tenant has MSDE and MSCAS enabled- Thank you for pointing to new Security GUI reports ( https://security.microsoft.com/webprotection ).
The old GUI reports ( https://securitycenter.windows.com/reports/webThreatProtection ) are not the same as the new ones. The main difference - "Details" buttons are missing
I found it difficult to investigate Web Content Filtering as well.
Besides it is impossible to the category of Web Filtering blocked URL.
There is https://incompass.netstar-inc.com/urlsearch but it s unclear how this is correlates to Microsoft MDATP Network Protraction Web Filtering decisions.
