Does Defender Smartscreen trigger an MDE alert.

Question

Hi,&nbsp;Was wondering if there was a way to see Defender SmartScreen event/alert in MDE Security portal?&nbsp;For example, lets says Defender Smartscreen is configured and try&nbsp; the Defender Smartscreen test website:&nbsp;https://demo.smartscreen.msft.net/&nbsp;Should alert flow thru MDE security portal?&nbsp;Thanks&nbsp;Jean-Philippe

jean-philippe breton · Answer

Oh thanks for the query !!It will be very helpful.I just find it weird that Smartscreen event do not show up in Alerts dashboard in MDE...

jonhed · Answer

Jean-Philippe Breton&nbsp;Not 100% sure if an alert will be generated, but you should be able to see events from Advanced Hunting.&nbsp;This is a query I used lately to find malicious URLs blocked by smartscreen and network protection.DeviceEvents
| where (ActionType == "ExploitGuardNetworkProtectionBlocked" and parse_json(AdditionalFields).ResponseCategory != "CustomPolicy") or
 (ActionType == "SmartScreenUrlWarning" and parse_json(AdditionalFields).Experience != "CustomPolicy")&nbsp;The ActionType "SmartScreenUrlWarning" shows the Smartscreen browser events, and I think there was a "SmartScreenFileWarning" for file events too.

jonhed · Answer

When looking at my test environment, I noticed a few alerts with the source listed as SmartScreen, when doing the test below.
https://demo.wd.microsoft.com/Page/NP

The prerequisites for the test does say not to use Edge though.. My alerts came from Internet Explorer.

jean-philippe breton · Answer

I also get that alert from Network Protection. Looks like only Edge + Smartscreen does not trigger an alert.Chatting with a FastTrack engineer, here is his response :" That is expected behavior for the SmartScreen for Edge. Only components like Network Protection and indicators will use SmartScreen and will pop alerts. You would need to leverage advanced hunting/custom detections in order to pop alerts for SmartScreen for edge. If you jump into AH, you can select Queries at the top left tab and scroll down to Protection Events where you find the SmartScreen built in queries. You can either run with these or customize it a bit. After that you can leverage a custom detection on top of it to fire off alerts. "

jonhed · Answer

Jean-Philippe BretonThank you very much for sharing that info.Feels a bit weird that they chose to ignore Edge smartscreen in the builtin alerts since the events are there in AH, but at least it can be done manually if needed.

Forum Discussion

Does Defender Smartscreen trigger an MDE alert.

6 Replies

Resources