Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data

🚨 The Signal: Microsoft Defender for Endpoint will remove SMB signature inspection data from Advanced Hunting. This change aims to improve performance and focus on higher-value network telemetry, requiring security teams to update custom detection rules for SMB traffic.

The Impact

Security teams are affected, facing a risk of reduced visibility into SMB-based attacks if detection rules are not updated.

• Security analysts: Risk of blind spots for SMB-related threats if queries are not updated.
• Organizations with custom detections: Existing rules for SMB signatures will cease to function.
• Incident response teams: Potential delay in detecting SMB-based lateral movement or exfiltration.
• Compliance officers: Need to verify continuous monitoring capabilities for SMB traffic are maintained.

The Action

1. Identify all custom detection rules, hunting queries, and automated workflows in Microsoft Defender for Endpoint Advanced Hunting that reference ActionType = “NetworkSignatureInspected” and SignatureName = “SMB_Client”.
2. Modify identified queries and rules to filter on DeviceNetworkEvents table where InitiatingProcessPort or RemotePort = 445 to detect SMB traffic.
3. Test updated queries and rules to ensure they accurately capture relevant SMB network activity.
4. Communicate the change and updated detection methods to security operations and incident response teams.
5. Review and update relevant security monitoring documentation and playbooks.

Domain: Defender · Impact: high · Workload: Microsoft Defender