Query Details
Defender IOC Warning Bypass Or Monitor Mode MDA Bypass
Query
DeviceEvents | where TimeGenerated > ago(90d) | where ActionType == "SmartScreenUserOverride" or (ActionType == "NetworkProtectionUserBypassEvent") // logs when users click past a warning given by MDE. This can be from MDE IOCs or MDA which creates MDE IOCs in the background | project-reorder RemoteUrl, InitiatingProcessAccountUpn, DeviceName,MachineGroup, ActionType,InitiatingProcessFileName
Explanation
This KQL (Kusto Query Language) query is designed to analyze device events from the past 90 days. It specifically looks for instances where users have bypassed security warnings. The query focuses on two types of actions: "SmartScreenUserOverride" and "NetworkProtectionUserBypassEvent." These actions indicate that a user has chosen to ignore a security warning provided by Microsoft Defender for Endpoint (MDE).
The query then rearranges the columns in the output to display the following information in order:
RemoteUrl- the URL involved in the event.InitiatingProcessAccountUpn- the user account that initiated the process.DeviceName- the name of the device where the event occurred.MachineGroup- the group to which the device belongs.ActionType- the type of action taken by the user.InitiatingProcessFileName- the name of the file that initiated the process.
In summary, this query helps identify and organize events where users have overridden security warnings, providing details about the involved URL, user, device, and action type.
Details
Jay Kerai
Released: March 19, 2026
Tables
Keywords
Operators