Defender for Endpoint Advanced Hunting: SMB Signature Data Removal

🚨 The Signal: Microsoft Defender for Endpoint is removing SMB signature inspection events from Advanced Hunting to improve performance and focus on higher-value network telemetry. This requires updates to custom detection rules and queries.

The Impact

Security administrators and analysts using Advanced Hunting will need to update queries to maintain visibility of SMB traffic.

• Security administrators and analysts: Queries, detections, or workflows relying on SMB signature inspection events will stop returning results.
• Organizations with custom detection rules: Custom rules referencing SMB_Client will no longer function as expected.
• Organizations with hunting queries: Saved hunting queries referencing SMB_Client will cease to return results.
• Organizations with automated workflows: Automated workflows based on SMB signature inspection events will be impacted.

The Action

1. Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to SMB_Client.
2. Update affected queries to identify SMB traffic using port-based filtering (port 445) in the DeviceNetworkEvents table.
3. Validate updated queries return the expected results before July 1, 2026.

Domain: Defender · Impact: medium · Workload: Microsoft Defender · Essential Eight: Application Control · ISM: ISM-0974, ISM-1670