kqlHunting

List SmartScreen Events

This query lists all SmartScreen related events.

Detection Query

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning", 
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
     Timestamp,
     DeviceName,
     ActionType,
     SmartScreenTrigger,
     ReasonForTrigger,
     InitiatingProcessCommandLine

Data Sources

DeviceEvents

Platforms

windowsazure-sentinelmicrosoft-defender

References

https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/

Tags

defender-for-endpoint

Raw Content

# List SmartScreen Events

## Query Information

#### Description
This query lists all SmartScreen related events.

#### References
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/

## Defender XDR
```KQL
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning", 
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
     Timestamp,
     DeviceName,
     ActionType,
     SmartScreenTrigger,
     ReasonForTrigger,
     InitiatingProcessCommandLine
```
## Sentinel
```KQL
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning", 
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
     TimeGenerated,
     DeviceName,
     ActionType,
     SmartScreenTrigger,
     ReasonForTrigger,
     InitiatingProcessCommandLine
```