Forum Discussion
Accessing a device scan results in Defender portal
Hi, I have been asked by our service desk if they start a scan using the Defender portal against an onboarded device can they see the final scan results. I believe all we can see is when the last...
I noticed the same. The answer from Microsoft was that when the manual scan (triggered through the portal) comes back with a hit another incident/alert is being generated. If it doesn't then the manual scan did not find anything ... of course this is not satisfying from an admin view.
You can use Advanced Hunting to search for and create a custom alert when a scan was successful:
//name: Defender for Antivirus (MDAV) Scan Status
//description:
//This query will provide a report with devices and their antivirus scan status, e.g. a full scan was completed, cancelled.
//This query can also be used to create a custom detection rule to create an informational alert when a manually triggered quick or full scan was completed.
//Colum StartedBy contains the following values:
//NETWORK SERVICE – Scheduled scan
//SYSTEM- Triggered manually via cloud, e.g. Intune
//USER – Triggered manually locally
DeviceEvents
| where ActionType has_any ("AntivirusScan", "AntivirusScanCompleted", "AntivirusScanCancelled")
| extend AdditionalFields = parse_json(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"], StartedBy= AdditionalFields.["User"]
| project Timestamp, DeviceId, ReportId, DeviceName, ActionType, ScanType, StartedBy