Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Feb 14, 2023
Solved

Advanced Hunting for last full scan

Hi,   I need to find which devices have ran a Full Scan, on which date and which didn't run. Basically I need to extract the information provided on the device dashboard. Is this informatio...
  • P4tr8k's avatar
    P4tr8k
    Feb 16, 2023

    Hey 🙂
    Try this:

    DeviceEvents
    | where ActionType contains "AntivirusScan"
    | extend AdditionalFields = todynamic(AdditionalFields)
    | extend ScanType = AdditionalFields.["ScanTypeIndex"]
    | project Timestamp, DeviceName, ActionType, ScanType
    | where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"

    If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""

     

P4tr8k's avatar
P4tr8k
Brass Contributor
Feb 16, 2023

Hey 🙂
Try this:

DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"

If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""

 

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Feb 16, 2023
Hi,
Thanks. That makes the case.
Is there any additional log that may help me to understand why the scans were cancelled?

Resources