SOLVED

Advanced Hunting for last full scan

Iron Contributor

Hi,

 

I need to find which devices have ran a Full Scan, on which date and which didn't run.

Basically I need to extract the information provided on the device dashboard.

Screenshot_6.png

Is this information stored on any table?

If not, is there any way of getting it massively?

Thanks

2 Replies
best response confirmed by dmarquesgn (Iron Contributor)
Solution

Hey 🙂
Try this:

DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"

If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""

 

Hi,
Thanks. That makes the case.
Is there any additional log that may help me to understand why the scans were cancelled?
1 best response

Accepted Solutions
best response confirmed by dmarquesgn (Iron Contributor)
Solution

Hey 🙂
Try this:

DeviceEvents
| where ActionType contains "AntivirusScan"
| extend AdditionalFields = todynamic(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| project Timestamp, DeviceName, ActionType, ScanType
| where ScanType contains "Full" and ActionType contains "AntivirusScanCompleted"

If you want see other status than Completed remove "and ActionType contains "AntivirusScanCompleted""

 

View solution in original post