Forum Discussion
Does Defender Smartscreen trigger an MDE alert.
Not 100% sure if an alert will be generated, but you should be able to see events from Advanced Hunting.
This is a query I used lately to find malicious URLs blocked by smartscreen and network protection.
DeviceEvents
| where (ActionType == "ExploitGuardNetworkProtectionBlocked" and parse_json(AdditionalFields).ResponseCategory != "CustomPolicy") or
(ActionType == "SmartScreenUrlWarning" and parse_json(AdditionalFields).Experience != "CustomPolicy")The ActionType "SmartScreenUrlWarning" shows the Smartscreen browser events, and I think there was a "SmartScreenFileWarning" for file events too.
It will be very helpful.
I just find it weird that Smartscreen event do not show up in Alerts dashboard in MDE...
When looking at my test environment, I noticed a few alerts with the source listed as SmartScreen, when doing the test below.
https://demo.wd.microsoft.com/Page/NP
The prerequisites for the test does say not to use Edge though.. My alerts came from Internet Explorer.- I also get that alert from Network Protection. Looks like only Edge + Smartscreen does not trigger an alert.
Chatting with a FastTrack engineer, here is his response :
" That is expected behavior for the SmartScreen for Edge. Only components like Network Protection and indicators will use SmartScreen and will pop alerts. You would need to leverage advanced hunting/custom detections in order to pop alerts for SmartScreen for edge. If you jump into AH, you can select Queries at the top left tab and scroll down to Protection Events where you find the SmartScreen built in queries. You can either run with these or customize it a bit. After that you can leverage a custom detection on top of it to fire off alerts. "Jean-Philippe Breton
Thank you very much for sharing that info.Feels a bit weird that they chose to ignore Edge smartscreen in the builtin alerts since the events are there in AH, but at least it can be done manually if needed.