Alert Rule Fails on Dynamic Field Parsing in DeviceTvmInfoGathering

Hi, 

Need Help: Alert Rule Fails but Hunting Query Works (Dynamic Fields Issue)
Alert Rule Query Fails When Using parse_json on AdditionalFields — Any Workarounds?

Need to get alert when avmode is disabled.

KQL:

DeviceTvmInfoGathering
| where isnotempty(AdditionalFields)
| where Timestamp > ago(1h)
| extend AF = parse_json(AdditionalFields)
| where AF has "AvMode"
| extend AvMode = tostring(AF.AvMode)
| where AvMode == "2" 
| extend ReportId = tolong(abs(hash(DeviceId)))
| project Timestamp, ReportId, DeviceId, DeviceName, OSPlatform, AvMode