{"id":16640,"date":"2026-06-02T09:01:36","date_gmt":"2026-06-02T00:01:36","guid":{"rendered":"https:\/\/m365jp.net\/?p=16640"},"modified":"2026-06-02T09:02:37","modified_gmt":"2026-06-02T00:02:37","slug":"mc1330888-upcoming-change-to-microsoft-defender-for-endpoint-advanced-hunting-removal-of-smb-signature-data","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-06-02-mc1330888-upcoming-change-to-microsoft-defender-for-endpoint-advanced-hunting-removal-of-smb-signature-data","title":{"rendered":"MC1330888 | Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data"},"content":{"rendered":"
\n
\n
\n\n\n\n
MC1330888 | Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\n\n\n\n\n\n\n
Classification<\/th>\nplanForChange<\/td>\n<\/tr>\n
Last Updated<\/th>\n06\/01\/2026 23:24:30<\/td>\n<\/tr>\n
Start Time<\/th>\n06\/01\/2026 23:24:13<\/td>\n<\/tr>\n
End Time<\/th>\n08\/01\/2026 07:00:00<\/td>\n<\/tr>\n
Message Content<\/th>\n\n

[Introduction]<\/b><\/p>\n

<\/p>\n

To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing
SMB signature inspection events<\/b> from Advanced Hunting in Microsoft Defender for Endpoint.
This change reflects observed low customer value for SMB signature data on endpoints and our continued
investment in more advanced SMB visibility through Zeek-based network capabilities<\/b>. <\/p>\n

<\/p>\n

[When this will happen:]<\/b><\/p>\n

<\/p>\n

    <\/ul>\n

    The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 1, 2026<\/b>, and will complete shortly thereafter across all tenants.<\/p>\n

    <\/p>\n

    [How this affects your organization:]<\/b><\/p>\n

    <\/p>\n

    Who is affected:<\/b><\/p>\n

    <\/p>\n

      <\/p>\n
    • Security administrators and analysts using Microsoft Defender for Endpoint Advanced Hunting<\/b><\/li>\n

      <\/p>\n

    • Organizations with custom detection rules, hunting queries, scheduled queries, or automated workflows<\/b> that reference SMB signature inspection events<\/li>\n

      <\/ul>\n

      What will happen:<\/b><\/p>\n

      <\/p>\n

        <\/p>\n
      • Events with ActionType = \u201cNetworkSignatureInspected\u201d<\/code><\/b> and SignatureName = \u201cSMB_Client\u201d<\/code><\/b> will no longer be generated.<\/li>\n

        <\/p>\n

      • Queries, detections, or workflows that rely on these events will stop returning results after the rollout.<\/li>\n

        <\/p>\n

      • Other network signature inspection events remain unchanged.<\/li>\n

        <\/p>\n

      • The change is on by default<\/b> and does not require tenant configuration.<\/li>\n

        <\/ul>\n

        [What you can do to prepare:]<\/b><\/p>\n

        To continue identifying SMB traffic in Advanced Hunting, we recommend filtering on port 445<\/b>, the standard port used by SMB, in the DeviceNetworkEvents<\/code> table, which remains fully supported.<\/p>\n

        <\/p>\n

          <\/p>\n
        • Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to SMB_Client<\/code><\/b>.<\/li>\n

          <\/p>\n

        • Update affected queries to identify SMB traffic using port-based filtering.<\/li>\n

          <\/p>\n

        • Validate updated queries return the expected results before July 1, 2026<\/b>.<\/li>\n

          <\/ul>\n

          Query update example<\/b><\/p>\n

          Replace:<\/b><\/p>\n

          <\/p>\n


          DeviceNetworkEvents
          | where ActionType == \"NetworkSignatureInspected\"
          | extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
          | where SignatureName == \"SMB_Client\"
          <\/code><\/pre>\n
          With:<\/b><\/p>\n
            <\/p>\n

          DeviceNetworkEvents
          | where RemotePort == 445 or LocalPort == 445
          <\/code><\/pre>\n
            For questions or feedback regarding this change, contact Microsoft Support<\/b> or your
            Microsoft account representative<\/b>.  <\/p>\n
          [Compliance considerations:]<\/b><\/p>\n
            <\/p>\n
              <\/p>\n
          • Admin monitoring and reporting:<\/b> The removal of SMB signature inspection events changes available Advanced Hunting telemetry and may affect how administrators monitor or investigate SMB activity.<\/li>\n
              <\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
            MC1330888 | Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16640","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/16640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=16640"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/16640\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=16640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=16640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=16640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}