Query Details

Defender SmartScreen

MDE Defender Smart Screen Events

Query

A user has overridden a SmartScreen warning and continued to open an untrusted app or a low-reputation URL.
DeviceEvents
 | where ActionType == 'SmartScreenUserOverride'

About this query

Explanation

The query is used to find events related to Windows Defender SmartScreen. It includes different queries to retrieve information about SmartScreen warnings, such as when a user overrides a warning and continues to open an untrusted app or URL. It also includes queries for SmartScreen browser warnings, custom indicators, app warnings, and network protection events. The queries extract specific fields like timestamp, device name, action type, remote URL, experience, initiating process file name, and initiating process account UPN.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceEvents

Keywords

DevicesIntuneUser

Operators

whereextendparse_jsonprojecttostringindistinct

Actions

GitHub