Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data

Message ID
MC1330888
View in Message Center
Service
Microsoft Defender XDR
Category
Plan for Change
Tags
Major Change Admin impactRetirement
Rollout
July 2026

Summary

Microsoft Defender for Endpoint will remove SMB signature inspection events from Advanced Hunting starting July 1, 2026, due to low customer value. Users must update queries referencing SMB_Client to filter on port 445 instead. Other network signature events remain unchanged; no tenant action is required to enable this change.

Details

[Introduction]

To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing SMB signature inspection events from Advanced Hunting in Microsoft Defender for Endpoint. This change reflects observed low customer value for SMB signature data on endpoints and our continued investment in more advanced SMB visibility through Zeek-based network capabilities

[When this will happen:]

The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 1, 2026, and will complete shortly thereafter across all tenants.

[How this affects your organization:]

Who is affected:

  • Security administrators and analysts using Microsoft Defender for Endpoint Advanced Hunting
  • Organizations with custom detection rules, hunting queries, scheduled queries, or automated workflows that reference SMB signature inspection events

What will happen:

  • Events with ActionType = “NetworkSignatureInspected” and SignatureName = “SMB_Client” will no longer be generated.
  • Queries, detections, or workflows that rely on these events will stop returning results after the rollout.
  • Other network signature inspection events remain unchanged.
  • The change is on by default and does not require tenant configuration.

[What you can do to prepare:]

To continue identifying SMB traffic in Advanced Hunting, we recommend filtering on port 445, the standard port used by SMB, in the DeviceNetworkEvents table, which remains fully supported.

  • Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to SMB_Client.
  • Update affected queries to identify SMB traffic using port-based filtering.
  • Validate updated queries return the expected results before July 1, 2026.

Query update example

Replace:


DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| where SignatureName == "SMB_Client"

With:


DeviceNetworkEvents
| where RemotePort == 445 or LocalPort == 445

For questions or feedback regarding this change, contact Microsoft Support or your Microsoft account representative.

[Compliance considerations:]

  • Admin monitoring and reporting: The removal of SMB signature inspection events changes available Advanced Hunting telemetry and may affect how administrators monitor or investigate SMB activity.

Change History

Show
Published: June 1, 2026
Last Updated: June 1, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free