Forum Discussion
KQL query for AV scan
Hay I want to get info about the last time that AV scanned the computers in my org. I write a this query : DeviceEvents | where ActionType == "AntivirusScanCompleted" | extend SCAN = parse_json...
Hi Elad,
to see all the scans for the last 7 days, you need to:
Remove arg_max (which only takes the last event).
Filter on TimeGenerated > ago(7d)
For example:
DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| extend ScanType = parse_json(AdditionalFields).ScanTypeIndex
| where TimeGenerated > ago(7d)
| project DeviceName, ScanTime = TimeGenerated, ScanType, ScanId
| order by DeviceName asc, ScanTime desc
This will return to you, for each computer, all scan entries completed in the last 7 days (quick, full, etc.), sorted by most recent.