Device Summarize Smart Screen Phishing Domains
Query
//Summarize the domains that Smartscreen is blocking as phishing attempts
//Data connector required for this query - M365 Defender - Device* tables
DeviceEvents
| where TimeGenerated > ago (30d)
| where ActionType startswith "SmartScreen"
| extend SmartScreenExperience = tostring(AdditionalFields.Experience)
| where AdditionalFields.Experience == "Phishing"
| parse-where RemoteUrl with * '://' RemoteDomain '/' *
| summarize Count=count()by RemoteDomain
| sort by CountExplanation
This query is designed to identify and summarize the domains that Microsoft Defender's SmartScreen feature has blocked as phishing attempts over the past 30 days. Here's a simple breakdown of what each part of the query does:
-
Data Source: It uses the
DeviceEventstable from the M365 Defender data connector, which includes information about device events. -
Time Filter: It filters the data to only include events from the last 30 days.
-
Action Type Filter: It looks for events where the action type starts with "SmartScreen", indicating they are related to SmartScreen activities.
-
Experience Filter: It further narrows down the events to those where the SmartScreen experience is specifically related to "Phishing".
-
Domain Extraction: It extracts the domain name from the URL that was blocked by parsing the
RemoteUrlfield. -
Summarization: It counts how many times each domain was blocked and summarizes this information.
-
Sorting: Finally, it sorts the domains by the number of times they were blocked, in descending order, so the most frequently blocked domains appear first.
In summary, this query provides a list of domains that have been most frequently blocked by SmartScreen as phishing attempts in the last 30 days.
Details

Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators