MC1330888: Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data
Microsoft Defender for Endpoint will remove SMB signature inspection events from Advanced Hunting starting July 1, 2026, due to low customer value. Users must update queries referencing SMB_Client to filter on port 445 instead. Other network signature events remain unchanged; no tenant action is ...
[Introduction]
To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing SMB signature inspection events from Advanced Hunting in Microsoft Defender for Endpoint. This change reflects observed low customer value for SMB signature data on endpoints and our continued investment in more advanced SMB visibility through Zeek-based network capabilities.
[When this will happen:]
The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 1, 2026, and will complete shortly thereafter across all tenants.
[How this affects your organization:]
Who is affected:
- Security administrators and analysts using Microsoft Defender for Endpoint Advanced Hunting
- Organizations with custom detection rules, hunting queries, scheduled queries, or automated workflows that reference SMB signature inspection events
What will happen:
- Events with
ActionType = “NetworkSignatureInspected”andSignatureName = “SMB_Client”will no longer be generated. - Queries, detections, or workflows that rely on these events will stop returning results after the rollout.
- Other network signature inspection events remain unchanged.
- The change is on by default and does not require tenant configuration.
[What you can do to prepare:]
To continue identifying SMB traffic in Advanced Hunting, we recommend filtering on port 445, the standard port used by SMB, in the DeviceNetworkEvents table, which remains fully supported.
- Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to
SMB_Client. - Update affected queries to identify SMB traffic using port-based filtering.
- Validate updated queries return the expected results before July 1, 2026.
Query update example
Replace:
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| where SignatureName == "SMB_Client"
With:
DeviceNetworkEvents
| where RemotePort == 445 or LocalPort == 445
For questions or feedback regarding this change, contact Microsoft Support or your Microsoft account representative.
[Compliance considerations:]
- Admin monitoring and reporting: The removal of SMB signature inspection events changes available Advanced Hunting telemetry and may affect how administrators monitor or investigate SMB activity.