Query Details
Device Visualize Malicious Smart Screen UR Ls
Query
//Visualize the most common domains triggering Microsoft Defender SmartScreen warnings //Data connector required for this query - M365 Defender - Device* tables DeviceEvents | where TimeGenerated > ago (30d) | where ActionType == "SmartScreenUrlWarning" | parse RemoteUrl with * '://' Domain '/' * | where isnotempty(Domain) | summarize Count=count()by Domain | sort by Count | render barchart
Explanation
This query analyzes data from the DeviceEvents table to identify the most frequent domains that trigger Microsoft Defender SmartScreen warnings. It filters the data for the past 30 days and focuses on events with the ActionType "SmartScreenUrlWarning". It then extracts the domain from the RemoteUrl field and filters out any empty domains. The query then summarizes the count of occurrences for each domain and sorts them in ascending order. Finally, it visualizes the results using a bar chart.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,M365Defender,Device,TimeGenerated,ActionType,SmartScreenUrlWarning,parse,RemoteUrl,Domain,isnotempty,summarize,Count,sort,render,barchart
Operators
whereago==parsewith'/'isnotemptysummarizecount()bysort byrender