Query Details

Triggers when a user performs a SmartScreen Override action

Smart Screen Override

Query

DeviceEvents
| where ingestion_time() > ago(7d)
| where ActionType == "SmartScreenUserOverride"

About this query

Triggers when a user performs a SmartScreen Override action

Query Information

Description

This query lists all SmartScreen override related events.

References

Defender XDR

Sentinel

DeviceEvents
| where ingestion_time() > ago(7d)
| where ActionType == "SmartScreenUserOverride"

Explanation

This query is designed to identify instances where a user has bypassed or overridden a SmartScreen warning within the past seven days. SmartScreen is a security feature in Windows that helps protect against phishing and malware by warning users about potentially harmful websites or downloads. The query looks for events specifically related to user overrides of these warnings. It filters the data to show only those events where the action type is "SmartScreenUserOverride," indicating that a user chose to proceed despite the SmartScreen warning. The query is applicable to both Defender XDR and Sentinel environments.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

DeviceEvents|whereingestion_time()>ago()==

Actions

GitHub