MC1330888 Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data

Home » Update » MC1330888 Upcoming change to Microsoft Defender for Endpoint Advanced Hunting: removal of SMB signature data

Summary

Table of Contents

Summary
History
Microsoft Message
Introduction
When this will happen
How this affects your organization
What you can do to prepare
Compliance considerations

Microsoft is removing SMB signature inspection events (ActionType == “NetworkSignatureInspected” with SignatureName == “SMB_Client”) from Defender for Endpoint Advanced Hunting.
Affected: security administrators and analysts with custom detection rules, saved/scheduled hunting queries, or automated workflows that reference SMB_Client signature events.
No admin opt-out: the change is on by default; other network signature inspection events are unchanged.
Action recommended: review and update queries/detections/workflows to identify SMB traffic by port (RemotePort == 445 or LocalPort == 445) and validate results.

Primary Service: Defender XDR
Admin Impact: High
User Impact: Low
Release Start: 01 Jul 2026
Release End: 01 Jul 2026
Services: Defender XDR
Category: Plan for change
Tags: Admin Action, Retirement

History

6/1/2026 Item Added to Message Center

Microsoft Message

Introduction

To improve endpoint performance and focus on higher-value network telemetry, Microsoft is removing SMB signature inspection events from Advanced Hunting in Microsoft Defender for Endpoint. This change reflects observed low customer value for SMB signature data on endpoints and our continued investment in more advanced SMB visibility through Zeek-based network capabilities.

When this will happen

The rollout to Worldwide, GCC, GCC High, and DoD will begin on July 1, 2026, and will complete shortly thereafter across all tenants.

How this affects your organization

Who is affected:

Security administrators and analysts using Microsoft Defender for Endpoint Advanced Hunting
Organizations with custom detection rules, hunting queries, scheduled queries, or automated workflows that reference SMB signature inspection events

What will happen:

Events with ActionType = “NetworkSignatureInspected” and SignatureName = “SMB_Client” will no longer be generated.
Queries, detections, or workflows that rely on these events will stop returning results after the rollout.
Other network signature inspection events remain unchanged.
The change is on by default and does not require tenant configuration.

What you can do to prepare

To continue identifying SMB traffic in Advanced Hunting, we recommend filtering on port 445, the standard port used by SMB, in the DeviceNetworkEvents table, which remains fully supported.

Review custom detection rules, saved hunting queries, scheduled queries, and automated workflows for references to SMB_Client.
Update affected queries to identify SMB traffic using port-based filtering.
Validate updated queries return the expected results before July 1, 2026.

Query update example

Replace:

DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| where SignatureName == "SMB_Client"

With:

DeviceNetworkEvents
| where RemotePort == 445 or LocalPort == 445

For questions or feedback regarding this change, contact Microsoft Support or your Microsoft account representative.

Compliance considerations

Admin monitoring and reporting: The removal of SMB signature inspection events changes available Advanced Hunting telemetry and may affect how administrators monitor or investigate SMB activity.