Forum Discussion
Review Defender Scan Results - Linux
Hi Team,
Please advise how to review defender full scan results on linux endpoint and any detections identified. As per Microsoft - it should show up in MS 365 Defender>Alerts section however I have found nothing there.
I have tried to browse through directory on endpoint - /var/opt/microsoft/mdatp/log/ however it doesn't exist. Do I have to enable logging to review scan results?
Can these results be shipped to Sentinel so that we have logging enabled?
If MDAV would've found a threat an alert/incident would've been opened. You can check the status of the full scan by going to the device page in Defender XDR, check the device health reports (Defender XDR > Reports > Device Health > Microsoft Defender Antivirus health > Export) or use advanced hunting.
DeviceTvmInfoGathering | where DeviceName == "enter device name" | extend AvScanResults=tostring(AdditionalFields.AvScanResults) | extend QuickScanResult=extractjson("$.Quick", AvScanResults, typeof(string)) | extend FullScanResult=extractjson("$.Full", AvScanResults, typeof(string)) | extend CustomScanResult=extractjson("$.Custom", AvScanResults, typeof(string)) | project-away OSPlatform, AdditionalFields, AvScanResults | sort by Timestamp desc
