Available 'AdditionalFields' in ActionType for Device Events

%3CLINGO-SUB%20id%3D%22lingo-sub-2308668%22%20slang%3D%22en-US%22%3EAvailable%20'AdditionalFields'%20in%20ActionType%20for%20Device%20Events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2308668%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community%2C%20novice%20question%20over%20here%2C%20looking%20at%20the%20code%20below%20I%20can%20se%20the%20creator%20of%20this%20code%20is%20calling%20for%20AdditionalFields%20such%20as%20ThreatName%2C%20WasRemediated%2C%26nbsp%3B%3CSPAN%3EWasExecutingWhileDetected%20for%20action%20type%20'AntivirusDetection'.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20question%20is%2C%20how%20can%20I%20see%20the%20total%20available%20additional%20fields%20for%20this%20action%20type%3F%20I%20cannot%20find%20any%20using%20the%20Data%20Schema%2C%20any%20advice%20will%20be%20very%20appreciated.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDeviceEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BActionType%26nbsp%3B%3D%3D%26nbsp%3B%22AntivirusDetection%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bextend%26nbsp%3BParsedFields%3Dparse_json(AdditionalFields)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BThreatName%3Dtostring(ParsedFields.ThreatName)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BWasRemediated%3Dtobool(ParsedFields.WasRemediated)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BWasExecutingWhileDetected%3Dtobool(ParsedFields.WasExecutingWhileDetected)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BFileName%2C%26nbsp%3BSHA1%2C%26nbsp%3BInitiatingProcessFileName%2C%26nbsp%3BInitiatingProcessCommandLine%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BDeviceName%2C%26nbsp%3BTimestamp%2C%26nbsp%3BUpdated%3Dtostring(ParsedFields.Scanned)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Blimit%26nbsp%3B100%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi community, novice question over here, looking at the code below I can se the creator of this code is calling for AdditionalFields such as ThreatName, WasRemediated, WasExecutingWhileDetected for action type 'AntivirusDetection'.

 

My question is, how can I see the total available additional fields for this action type? I cannot find any using the Data Schema, any advice will be very appreciated.

 

DeviceEvents
| where ActionType == "AntivirusDetection" 
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
          WasRemediated=tobool(ParsedFields.WasRemediated),
          WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected),
          FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
          DeviceName, Timestamp, Updated=tostring(ParsedFields.Scanned)
| limit 100
0 Replies