cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Advanced Hunting for SmartScreen events

yowershell
Copper Contributor

‎Jul 29 2020 09:57 AM

‎Jul 29 2020 09:57 AM

Advanced Hunting for SmartScreen events

Recently I've been working on some Advanced Hunting queries for Web Content Filtering. This data is easy to find for third party browsers such as Chrome or Firefox assuming Network Protection is turned on. Simply query DeviceEvents | Where ActionType == 'ExploitGuardNetworkProtectionBlocked'. However, Edge does not use Network Protection to block sites based on Web Content Filtering. It utilizes SmartScreen. As such I would expect that these events would be under the 'SmartScreenUrlWarning' ActionType. However, this doesn't return any data. In fact, I've found that none of the SmartScreen related ActionTypes return any data. I've confirmed that SmartScreen is enabled and functional with the tools on demo.wd.com. Has anyone been able to successfully query SmartScreen data through Advanced Hunting?

8,833 Views
4 Likes
3 Replies
Reply
3 Replies
Sergg

‎Feb 22 2021 05:14 PM

‎Feb 22 2021 05:14 PM

Re: Advanced Hunting for SmartScreen events

I found it difficult to investigate Web Content Filtering as well.

Besides it is impossible to the category of Web Filtering blocked URL.

There is https://incompass.netstar-inc.com/urlsearch but it s unclear how this is correlates to Microsoft MDATP Network Protraction Web Filtering decisions.

0 Likes
Reply
braedachau

‎Feb 25 2021 11:12 PM - edited ‎Feb 25 2021 11:18 PM

‎Feb 25 2021 11:12 PM - edited ‎Feb 25 2021 11:18 PM

Re: Advanced Hunting for SmartScreen events

I'm not sure if I can help but this doesn't work for you

https://security.microsoft.com/webcontentfilteringcategoriesdetailspage?viewid=webCategories

Obviously the data has come from somewhere.  You obviously have to turn it on in MSDE
Tenant has MSDE and MSCAS enabled

1 Like
Reply
Sergg

‎Mar 02 2021 07:43 AM

‎Mar 02 2021 07:43 AM

Re: Advanced Hunting for SmartScreen events

Thank you for pointing to new Security GUI reports ( https://security.microsoft.com/webprotection ).
The old GUI reports ( https://securitycenter.windows.com/reports/webThreatProtection ) are not the same as the new ones. The main difference - "Details" buttons are missing
1 Like
Reply