Forum Discussion
Advanced Hunting for last full scan
Hi,
I need to find which devices have ran a Full Scan, on which date and which didn't run.
Basically I need to extract the information provided on the device dashboard.
Is this information stored on any table?
If not, is there any way of getting it massively?
Thanks
Hey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""
Hey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""- Hi,
Thanks. That makes the case.
Is there any additional log that may help me to understand why the scans were cancelled?
