Function: AVScanResults()
Av Scan Results
Query
// AvScanType can be: Quick, Custom or Full
let AVScanResults = (DeviceIdInput:string, AvScanType:string) {
DeviceTvmInfoGathering
| where DeviceId == DeviceIdInput
| extend AvScanResults = extractjson("$", tostring(AdditionalFields.AvScanResults))
| mv-expand todynamic(AvScanResults)
| extend Results = AvScanResults[AvScanType]
| extend ScanStatus = extractjson("$.ScanStatus", tostring(Results)), ErrorCode = extractjson("$.ErrorCode", tostring(Results)), Timestamp = extractjson("$.Timestamp", tostring(Results))
| where isnotempty(ScanStatus)
| project DeviceId, DeviceName, ScanStatus, Timestamp, ErrorCode, AvScanResults
};
AVScanResults("70da955b16e5717fc3xxxxxxxxxxxxx", "Full")About this query
Function: AVScanResults()
Query Information
Description
The KQL function AVScanResults() collects this information, the function uses two input variables DeviceIdInput and AvScanType. DeviceIdInput is the DeviceId from the device you want to list results, the AvScanType can be either Quick, Full or Custom.
References
Defender XDR
Explanation
The KQL query defines a function called AVScanResults() that retrieves antivirus scan results for a specific device. Here's a simplified breakdown of what the query does:
-
Inputs: The function takes two inputs:
DeviceIdInput: The unique identifier of the device you want to check.AvScanType: The type of antivirus scan you are interested in, which can be "Quick," "Full," or "Custom."
-
Data Source: It queries the
DeviceTvmInfoGatheringtable, which contains information about devices. -
Filtering: The query filters the data to only include records where the
DeviceIdmatches theDeviceIdInput. -
Extracting Scan Results: It extracts the antivirus scan results from a JSON field called
AdditionalFields.AvScanResults. -
Expanding Results: The results are expanded to handle multiple entries, if any.
-
Selecting Specific Scan Type: It selects the results corresponding to the specified
AvScanType. -
Extracting Details: From the selected results, it extracts specific details:
ScanStatus: The status of the scan.ErrorCode: Any error codes associated with the scan.Timestamp: The time when the scan was conducted.
-
Filtering Non-Empty Results: It ensures that only records with a non-empty
ScanStatusare included. -
Output: Finally, it projects (selects) the relevant fields to display:
DeviceId,DeviceName,ScanStatus,Timestamp,ErrorCode, and the fullAvScanResults.
The function is then called with a specific DeviceId and scan type "Full" to retrieve the full scan results for that device.
Details

Bert-Jan Pals
Released: October 9, 2024
Tables
Keywords
Operators