Available 'AdditionalFields' in ActionType for Device Events

Occasional Visitor

Hi community, novice question over here, looking at the code below I can se the creator of this code is calling for AdditionalFields such as ThreatName, WasRemediated, WasExecutingWhileDetected for action type 'AntivirusDetection'.

 

My question is, how can I see the total available additional fields for this action type? I cannot find any using the Data Schema, any advice will be very appreciated.

 

DeviceEvents
| where ActionType == "AntivirusDetection" 
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
          WasRemediated=tobool(ParsedFields.WasRemediated),
          WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected),
          FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
          DeviceName, Timestamp, Updated=tostring(ParsedFields.Scanned)
| limit 100
0 Replies