KQL Search

Query Details

HomeAI ToolsDevice Query

Device Find Deviceswithmost Smart Screen Events

Query

//Find the devices in your environment triggering the most Defender SmartScreen events

//Data connector required for this query - M365 Defender - Device* tables

DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType startswith "SmartScreen"
| extend Experience = tostring(AdditionalFields.Experience)
| where isnotempty(Experience)
| summarize
    ['Count of SmartScreen Events']=count(),
    ['List of SmartScreen Event Types']=make_set(Experience)
    by DeviceName
| sort by ['Count of SmartScreen Events'] desc 

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "SmartScreen"
| extend AF = parse_json(AdditionalFields)
| extend Experience = tostring(AF.Experience)
| where isnotempty(Experience)
| summarize
    ['Count of SmartScreen Events']=count(),
    ['List of SmartScreen Event Types']=make_set(Experience)
    by DeviceName
| sort by ['Count of SmartScreen Events'] desc

Explanation

This query is used to find the devices in your environment that are triggering the most Defender SmartScreen events. It requires a data connector for either the M365 Defender - Device* tables or an Advanced Hunting license. The query filters the DeviceEvents table based on a time range and ActionType starting with "SmartScreen". It then extends the Experience field and filters out any empty values. The query then summarizes the count of SmartScreen events and creates a list of SmartScreen event types for each device. The results are sorted in descending order based on the count of SmartScreen events.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceEvents

Keywords

Devices,DefenderSmartScreen,Dataconnector,M365Defender,DeviceEvents,TimeGenerated,ActionType,SmartScreen,Experience,isnotempty,CountofSmartScreenEvents,ListofSmartScreenEventTypes,DeviceName,sort,AdvancedHunting,Timestamp,AF,parse_json

Operators

| where>agostartswithextendtostringisnotemptysummarizecountmake_setbysortdescparse_json

Actions