Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Feb 14, 2023

Advanced Hunting for last full scan

Hi,   I need to find which devices have ran a Full Scan, on which date and which didn't run. Basically I need to extract the information provided on the device dashboard. Is this informatio...
  • P4tr8k's avatar
    Feb 16, 2023

    Hey 🙂
    Try this:

    DeviceEvents
    | where ActionType contains "AntivirusScan"
    | extend AdditionalFields = todynamic(AdditionalFields)
    | extend ScanType = AdditionalFields.["ScanTypeIndex"]
    | project Timestamp, DeviceName, ActionType, ScanType
    | where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"

    If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""

     

Resources