Hi community, novice question over here, looking at the code below I can se the creator of this code is calling for AdditionalFields such as ThreatName, WasRemediated, WasExecutingWhileDetected for action type 'AntivirusDetection'.
My question is, how can I see the total available additional fields for this action type? I cannot find any using the Data Schema, any advice will be very appreciated.
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
WasRemediated=tobool(ParsedFields.WasRemediated),
WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected),
FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
DeviceName, Timestamp, Updated=tostring(ParsedFields.Scanned)
| limit 100
