cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does Defender Smartscreen trigger an MDE alert.

Jean-Philippe Breton
Iron Contributor

‎Nov 18 2021 07:05 PM - edited ‎Nov 18 2021 07:26 PM

‎Nov 18 2021 07:05 PM - edited ‎Nov 18 2021 07:26 PM

Does Defender Smartscreen trigger an MDE alert.

Hi,

 

Was wondering if there was a way to see Defender SmartScreen event/alert in MDE Security portal?

 

For example, lets says Defender Smartscreen is configured and try  the Defender Smartscreen test website: https://demo.smartscreen.msft.net/

 

Should alert flow thru MDE security portal?

 

Thanks

 

Jean-Philippe

1,950 Views
0 Likes
6 Replies
Reply
6 Replies
Jonhed

‎Nov 18 2021 07:32 PM

‎Nov 18 2021 07:32 PM

Re: Does Defender Smartscreen trigger an MDE alert.

@Jean-Philippe Breton 

Not 100% sure if an alert will be generated, but you should be able to see events from Advanced Hunting.

 

This is a query I used lately to find malicious URLs blocked by smartscreen and network protection.

DeviceEvents
| where (ActionType == "ExploitGuardNetworkProtectionBlocked" and parse_json(AdditionalFields).ResponseCategory != "CustomPolicy") or
 (ActionType == "SmartScreenUrlWarning" and parse_json(AdditionalFields).Experience != "CustomPolicy")

 The ActionType "SmartScreenUrlWarning" shows the Smartscreen browser events, and I think there was a "SmartScreenFileWarning" for file events too.

0 Likes
Reply
Jean-Philippe Breton

‎Nov 18 2021 07:38 PM

‎Nov 18 2021 07:38 PM

Re: Does Defender Smartscreen trigger an MDE alert.

Oh thanks for the query !!
It will be very helpful.

I just find it weird that Smartscreen event do not show up in Alerts dashboard in MDE...
1 Like
Reply
Jonhed

‎Nov 19 2021 04:38 AM - edited ‎Nov 19 2021 04:40 AM

‎Nov 19 2021 04:38 AM - edited ‎Nov 19 2021 04:40 AM

Re: Does Defender Smartscreen trigger an MDE alert.

When looking at my test environment, I noticed a few alerts with the source listed as SmartScreen, when doing the test below.
https://demo.wd.microsoft.com/Page/NP

The prerequisites for the test does say not to use Edge though.. My alerts came from Internet Explorer.

0 Likes
Reply
Jean-Philippe Breton

‎Nov 24 2021 07:18 PM

‎Nov 24 2021 07:18 PM

Re: Does Defender Smartscreen trigger an MDE alert.

I also get that alert from Network Protection. Looks like only Edge + Smartscreen does not trigger an alert.
Chatting with a FastTrack engineer, here is his response :
" That is expected behavior for the SmartScreen for Edge. Only components like Network Protection and indicators will use SmartScreen and will pop alerts. You would need to leverage advanced hunting/custom detections in order to pop alerts for SmartScreen for edge. If you jump into AH, you can select Queries at the top left tab and scroll down to Protection Events where you find the SmartScreen built in queries. You can either run with these or customize it a bit. After that you can leverage a custom detection on top of it to fire off alerts. "
0 Likes
Reply
Jonhed

‎Nov 24 2021 07:42 PM

‎Nov 24 2021 07:42 PM

Re: Does Defender Smartscreen trigger an MDE alert.

@Jean-Philippe Breton
Thank you very much for sharing that info.

Feels a bit weird that they chose to ignore Edge smartscreen in the builtin alerts since the events are there in AH, but at least it can be done manually if needed.

0 Likes
Reply
Jean-Philippe Breton

‎Nov 24 2021 07:45 PM

‎Nov 24 2021 07:45 PM

Re: Does Defender Smartscreen trigger an MDE alert.

100% agree. I have raised the idea....hopefully we will see it someday.
0 Likes
Reply