Query Details
Smart Screen Events
Query
# Hunt for SmartScreen events. What file was opened? Or which URL did they try to access?
----
### Defender For Endpoint
```
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType has_any('SmartScreenAppWarning',
'SmartScreenUrlWarning')
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning",
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
Timestamp,
DeviceName,
ActionType,
SmartScreenTrigger,
ReasonForTrigger,
InitiatingProcessCommandLine
```
### Sentinel
```
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType has_any('SmartScreenAppWarning',
'SmartScreenUrlWarning')
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning",
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
TimeGenerated,
DeviceName,
ActionType,
SmartScreenTrigger,
ReasonForTrigger,
InitiatingProcessCommandLine
```
Explanation
The query is searching for SmartScreen events in both Defender for Endpoint and Sentinel. It filters the events based on a specific time range and the action type being either "SmartScreenAppWarning" or "SmartScreenUrlWarning". It then extracts the file name or URL that triggered the SmartScreen warning and the reason for the trigger. Finally, it projects the timestamp, device name, action type, trigger, reason, and initiating process command line for each event.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,Timestamp,DeviceName,ActionType,SmartScreenTrigger,ReasonForTrigger,InitiatingProcessCommandLine,RemoteUrl,FileName,AdditionalFields,Experience,TimeGenerated
Operators
whereagohas_anyextendiffparse_jsonproject