Query Details
Device Summarize Smart Screen Untrusted Files
Query
//Summarize the most common files in your environment flagging Smartscreen untrusted warnings
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenExperience = tostring(AdditionalFields.Experience)
| where SmartScreenExperience == "Untrusted"
| summarize Count=count()by FileName
| sort by Count
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "SmartScreen"
| where AdditionalFields == @"{""Experience"":""Untrusted""}"
| summarize Count=count()by FileName
| sort by CountExplanation
This query is looking for the most common files in your environment that are flagged with Smartscreen untrusted warnings. It uses the M365 Defender - Device* tables as the data source. The query filters the DeviceEvents based on a time range of the past 30 days and the ActionType starting with "SmartScreen". It then extends the SmartScreenExperience field and filters for only "Untrusted" experiences. The query then summarizes the count of occurrences for each FileName and sorts the results by count. This query can be run in Microsoft Sentinel or with an Advanced Hunting license.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,ActionType,SmartScreenExperience,AdditionalFields,FileName,Count
Operators
whereagostartswithextendtostring==count()bysort by