Forum Discussion
Advanced Hunting for last full scan
- Feb 16, 2023
Hey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""
Hey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""
- dmarquesgnFeb 16, 2023Iron ContributorHi,
Thanks. That makes the case.
Is there any additional log that may help me to understand why the scans were cancelled?