Forum Discussion
KQL query for AV scan
Hi Elad,
To include the date and time when each scan ran, you need to use the "TimeGenerated" (or "Timestamp") column in your DeviceEvents table, it records exactly when the event was logged.
For example:
kql
DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| extend ScanType = parse_json(AdditionalFields).ScanTypeIndex
| summarize arg_max(TimeGenerated, *) by DeviceName
| project DeviceName, LastScanTime = TimeGenerated, ScanType, ScanId
-Using arg_max(TimeGenerated, *) returns, for each DeviceName, the record with the newest timestamp, including all columns (so you get ScanId, etc.).
-If you only need the timestamp of the last scan, you can simplify to:
kql
DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| summarize LastScanTime = max(TimeGenerated) by DeviceName
This produces a two‑column table: DeviceName | LastScanTime
ScanId
That value—`{041A5DF1-3A85-49D5-B0B0-2231AF4AC13C}`—is simply a **GUID** (Global Unique Identifier). Every scan run gets its own unique ID so you can reliably distinguish one scan event from another in your logs. It doesn’t encode any extra information (like scan type or date); it’s just a unique marker for that single scan.
Hope this helps
Thank you!
how can i get results of all scans in the last 7 days for example ?
lets say a quick scan run yesterday and a full scan run 3 days ago. with this query it will show me the
last scan = the quick scan that run yesterday but not the full scan tun 3 days ago.
I try to run your initial query and notice you are already extended new column as SCAN.
So, if you would like only Full scan, have you tried to filter SCAN == "Full" or other value with the same meaning (maybe | where not (SCAN == "Quick")) My test tenant has only Quick scan so I cannot test this for you tho.
