Available 'AdditionalFields' in ActionType for Device Events

Copper Contributor

Hi community, novice question over here, looking at the code below I can se the creator of this code is calling for AdditionalFields such as ThreatName, WasRemediated, WasExecutingWhileDetected for action type 'AntivirusDetection'.


My question is, how can I see the total available additional fields for this action type? I cannot find any using the Data Schema, any advice will be very appreciated.


| where ActionType == "AntivirusDetection" 
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
          FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
          DeviceName, Timestamp, Updated=tostring(ParsedFields.Scanned)
| limit 100
0 Replies