(Updated) Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data

Reading time

3 minutes

Die Inhalte auf dieser Seite wurden maschinell übersetzt.

summary: Starting July 13, 2026, Microsoft Defender for Endpoint will remove SMB signature inspection events from Advanced Hunting to improve performance. Queries using these events will stop working; users should update them to filter SMB traffic by port 445 in DeviceNetworkEvents before July 1, 2026.

Updated July 7, 2026: We have updated the timeline. Thank you for your patience. 

[Introduction]

To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing SMB signature inspection events from Advanced Hunting in Microsoft Defender for Endpoint. This change reflects observed low customer value for SMB signature data on endpoints and our continued investment in more advanced SMB visibility through Zeek-based network capabilities

[When this will happen:]

The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 13, 2026, and will complete shortly thereafter across all tenants.

[How this affects your organization:]

Who is affected:

  • Security administrators and analysts using Microsoft Defender for Endpoint Advanced Hunting
  • Organizations with custom detection rules, hunting queries, scheduled queries, or automated workflows that reference SMB signature inspection events

What will happen:

  • Events with ActionType = “NetworkSignatureInspected” and SignatureName = “SMB_Client” will no longer be generated.
  • Queries, detections, or workflows that rely on these events will stop returning results after the rollout.
  • Other network signature inspection events remain unchanged.
  • The change is on by default and does not require tenant configuration.

[What you can do to prepare:]

To continue identifying SMB traffic in Advanced Hunting, we recommend filtering on port 445, the standard port used by SMB, in the DeviceNetworkEvents table, which remains fully supported.

  • Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to SMB_Client.
  • Update affected queries to identify SMB traffic using port-based filtering.
  • Validate updated queries return the expected results before July 1, 2026.

Query update example

Replace:


DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| where SignatureName == "SMB_Client"

With:


DeviceNetworkEvents
| where RemotePort == 445 or LocalPort == 445

For questions or feedback regarding this change, contact Microsoft Support or your Microsoft account representative.

[Compliance considerations:]

  • Admin monitoring and reporting: The removal of SMB signature inspection events changes available Advanced Hunting telemetry and may affect how administrators monitor or investigate SMB activity.

We are here for you!

Do you have any questions or need assistance? We’re happy to help.