Forum Discussion
Does Defender Smartscreen trigger an MDE alert.
Hi, Was wondering if there was a way to see Defender SmartScreen event/alert in MDE Security portal? For example, lets says Defender Smartscreen is configured and try the Defender Smartscree...
Not 100% sure if an alert will be generated, but you should be able to see events from Advanced Hunting.
This is a query I used lately to find malicious URLs blocked by smartscreen and network protection.
DeviceEvents
| where (ActionType == "ExploitGuardNetworkProtectionBlocked" and parse_json(AdditionalFields).ResponseCategory != "CustomPolicy") or
(ActionType == "SmartScreenUrlWarning" and parse_json(AdditionalFields).Experience != "CustomPolicy")The ActionType "SmartScreenUrlWarning" shows the Smartscreen browser events, and I think there was a "SmartScreenFileWarning" for file events too.
- Oh thanks for the query !!
It will be very helpful.
I just find it weird that Smartscreen event do not show up in Alerts dashboard in MDE...When looking at my test environment, I noticed a few alerts with the source listed as SmartScreen, when doing the test below.
https://demo.wd.microsoft.com/Page/NP
The prerequisites for the test does say not to use Edge though.. My alerts came from Internet Explorer.- I also get that alert from Network Protection. Looks like only Edge + Smartscreen does not trigger an alert.
Chatting with a FastTrack engineer, here is his response :
" That is expected behavior for the SmartScreen for Edge. Only components like Network Protection and indicators will use SmartScreen and will pop alerts. You would need to leverage advanced hunting/custom detections in order to pop alerts for SmartScreen for edge. If you jump into AH, you can select Queries at the top left tab and scroll down to Protection Events where you find the SmartScreen built in queries. You can either run with these or customize it a bit. After that you can leverage a custom detection on top of it to fire off alerts. "
