Feb 14 2023 10:15 AM
Hi,
I need to find which devices have ran a Full Scan, on which date and which didn't run.
Basically I need to extract the information provided on the device dashboard.
Is this information stored on any table?
If not, is there any way of getting it massively?
Thanks
Feb 16 2023 01:52 AM - edited Feb 16 2023 01:53 AM
SolutionHey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""
Feb 16 2023 06:15 AM
Feb 16 2023 01:52 AM - edited Feb 16 2023 01:53 AM
SolutionHey 🙂
Try this:
DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"
If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""