EXPLORE
Sign In
← Back to Explore
kqlHunting

Defender IOC Warning Bypass or Monitor Mode MDA bypass

logs when users click past a warning given by MDE. This can be from MDE IOCs or MDA which creates MDE IOCs in the background

Detection Query

DeviceEvents
| where TimeGenerated > ago(90d)
| where ActionType  == "SmartScreenUserOverride" or (ActionType == "NetworkProtectionUserBypassEvent") // logs when users click past a warning given by MDE. This can be from MDE IOCs or MDA which creates MDE IOCs in the background
| project-reorder RemoteUrl, InitiatingProcessAccountUpn, DeviceName,MachineGroup, ActionType,InitiatingProcessFileName

Data Sources

DeviceEvents

Platforms

windows

Tags

defenderioc
Raw Content
DeviceEvents
| where TimeGenerated > ago(90d)
| where ActionType  == "SmartScreenUserOverride" or (ActionType == "NetworkProtectionUserBypassEvent") // logs when users click past a warning given by MDE. This can be from MDE IOCs or MDA which creates MDE IOCs in the background
| project-reorder RemoteUrl, InitiatingProcessAccountUpn, DeviceName,MachineGroup, ActionType,InitiatingProcessFileName