Device Summarize Smart Screen Phishing Domains
Query
//Summarize the domains that Smartscreen is blocking as phishing attempts
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenExperience = tostring(AdditionalFields.Experience)
| where AdditionalFields.Experience == "Phishing"
| parse-where RemoteUrl with * '://' RemoteDomain '/' *
| summarize Count=count()by RemoteDomain
| sort by CountExplanation
This query summarizes the domains that Smartscreen is blocking as phishing attempts. It uses the M365 Defender - Device* tables as the data source. It filters the DeviceEvents table for events that occurred in the last 30 days and have an ActionType starting with "SmartScreen". It then extends the SmartScreenExperience field and filters for events where the experience is "Phishing". The query parses the RemoteUrl field to extract the RemoteDomain and then summarizes the count of occurrences for each domain. The results are sorted by the count in ascending order.
Details

Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEventsTimeGeneratedActionTypeSmartScreenExperienceAdditionalFields.ExperienceRemoteUrlRemoteDomainCount
Operators
whereagostartswithextend==parse-wherewith*'://'/summarizecount()bysort by