Forum Discussion
KQL query for AV scan
Hay I want to get info about the last time that AV scanned the computers in my org. I write a this query : DeviceEvents | where ActionType == "AntivirusScanCompleted" | extend SCAN = parse_json...
Thank you!
how can i get results of all scans in the last 7 days for example ?
lets say a quick scan run yesterday and a full scan run 3 days ago. with this query it will show me the
last scan = the quick scan that run yesterday but not the full scan tun 3 days ago.
I try to run your initial query and notice you are already extended new column as SCAN.
So, if you would like only Full scan, have you tried to filter SCAN == "Full" or other value with the same meaning (maybe | where not (SCAN == "Quick")) My test tenant has only Quick scan so I cannot test this for you tho.