Nov 18 2021 07:05 PM - edited Nov 18 2021 07:26 PM
Hi,
Was wondering if there was a way to see Defender SmartScreen event/alert in MDE Security portal?
For example, lets says Defender Smartscreen is configured and try the Defender Smartscreen test website: https://demo.smartscreen.msft.net/
Should alert flow thru MDE security portal?
Thanks
Jean-Philippe
Nov 18 2021 07:32 PM
Not 100% sure if an alert will be generated, but you should be able to see events from Advanced Hunting.
This is a query I used lately to find malicious URLs blocked by smartscreen and network protection.
DeviceEvents
| where (ActionType == "ExploitGuardNetworkProtectionBlocked" and parse_json(AdditionalFields).ResponseCategory != "CustomPolicy") or
(ActionType == "SmartScreenUrlWarning" and parse_json(AdditionalFields).Experience != "CustomPolicy")
The ActionType "SmartScreenUrlWarning" shows the Smartscreen browser events, and I think there was a "SmartScreenFileWarning" for file events too.
Nov 18 2021 07:38 PM
Nov 19 2021 04:38 AM - edited Nov 19 2021 04:40 AM
When looking at my test environment, I noticed a few alerts with the source listed as SmartScreen, when doing the test below.
https://demo.wd.microsoft.com/Page/NP
The prerequisites for the test does say not to use Edge though.. My alerts came from Internet Explorer.
Nov 24 2021 07:18 PM
Nov 24 2021 07:42 PM
@Jean-Philippe Breton
Thank you very much for sharing that info.
Feels a bit weird that they chose to ignore Edge smartscreen in the builtin alerts since the events are there in AH, but at least it can be done manually if needed.
Nov 24 2021 07:45 PM