cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

About monitoring user operations for apps that SmartScreen warned

S-Zinroku
Copper Contributor

‎May 12 2022 11:58 PM

‎May 12 2022 11:58 PM

About monitoring user operations for apps that SmartScreen warned

Even if SmartScreen determines that the app is dangerous, if the operator determines that it is safe, the installation will continue.
However, I would like to check the operation history at that time as an administrator.
The operation history is whether it was installed, blocked, and so on.

 

Upon examination, I found that the log was saved in the Windows Event Viewer. However, I have more than 100 PCs to manage, so I'm looking for a way to check them all at once.

 

For example, the following method.
-Alerts are raised only when the installation is executed after the warning on the management center screen of the endpoint manager.
-You can identify the device by displaying the logs of all PCs at once and filtering only the logs that executed the installation.

 

Is there any good way or feature?

 

* According to company rules, it is prohibited to install apps that are not approved. The goal is to find someone who has installed an app that is not approved by the company.

 

I know SmartScreen can force the installation to be blocked. But if you do that, you won't be able to install apps that you know are safe. I don't want to use the forced blocking feature because Microsoft has a long time to approve it.

 

Environment
・ Windows10 Enterprise
・ AzureAD (Joined), Microsoft365 E3, Intune

982 Views
0 Likes
1 Reply
Reply
1 Reply
Yong Rhee

‎Jun 08 2022 02:14 PM - edited ‎Jun 08 2022 02:16 PM

‎Jun 08 2022 02:14 PM - edited ‎Jun 08 2022 02:16 PM

Re: About monitoring user operations for apps that SmartScreen warned

@S-Zinroku, a few method of fw'ing the event logs related to "Smartscreen".

Method 1) If you have an E5 license, you can use MDE's (security.microsoft.com) Advanced Hunting query to create a query for the Smartscreen Alerts.

 

or

 

Method 2)

Use Azure Monitor to collect the Event logs, in this case for Smartscreen.
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

or
Method 3)
Use Windows Event Forwarding (WEF), on the WEC server, create a script to ingest the event log into a excel or powerBI or sql database.

I hope this helps.

Thanks,
Yong Rhee [MSFT]

P.S. Additionally, if you are using Microsoft Defender Antivirus (MDAV), and you have E3/A3 license, you are able to see the AV alerts and different reports. Please take a look here:
Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoi...
Set up and configure Microsoft Defender for Endpoint Plan 1 | Microsoft Docs
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration...

0 Likes
Reply