Query Details
Smart Screen Override
Query
# Triggers when a user performs a SmartScreen Override action ---- ### Defender For Endpoint ``` DeviceEvents | where Timestamp > ago(7d) | where ActionType == "SmartScreenUserOverride" ``` ### Sentinel ``` DeviceEvents | where TimeGenerated > ago(7d) | where ActionType == "SmartScreenUserOverride" ```
Explanation
The query looks for events where a user overrides the SmartScreen feature on a device. It retrieves these events from the past 7 days in both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: March 8, 2023
Tables
DeviceEvents
Keywords
Triggers,SmartScreen,Override,User,Defender,Endpoint,DeviceEvents,Timestamp,ActionType,Sentinel,TimeGenerated
Operators
where>ago==