KQL Search

Query Details

HomeAI ToolsDevice Query

Av Scan Results

Query

# Function: AVScanResults()

## Query Information

#### Description
The KQL function *AVScanResults()* collects this information, the function uses two input variables *DeviceIdInput* and *AvScanType*. *DeviceIdInput* is the DeviceId from the device you want to list results, the *AvScanType* can be either Quick, Full or Custom.

#### References
- https://learn.microsoft.com/en-us/defender-endpoint/schedule-antivirus-scans

## Defender XDR
```KQL
// AvScanType can be: Quick, Custom or Full
let AVScanResults = (DeviceIdInput:string, AvScanType:string) {
 DeviceTvmInfoGathering
 | where DeviceId == DeviceIdInput
 | extend AvScanResults = extractjson("$", tostring(AdditionalFields.AvScanResults))
 | mv-expand todynamic(AvScanResults)
 | extend Results = AvScanResults[AvScanType]
 | extend ScanStatus = extractjson("$.ScanStatus", tostring(Results)), ErrorCode = extractjson("$.ErrorCode", tostring(Results)), Timestamp = extractjson("$.Timestamp", tostring(Results))
 | where isnotempty(ScanStatus)
 | project DeviceId, DeviceName, ScanStatus, Timestamp, ErrorCode, AvScanResults
 };
AVScanResults("70da955b16e5717fc3xxxxxxxxxxxxx", "Full")
```

Explanation

The KQL query defines a function called AVScanResults() that retrieves antivirus scan results for a specific device. Here's a simplified breakdown of what the query does:

  1. Inputs: The function takes two inputs:

    • DeviceIdInput: The unique identifier of the device you want to check.
    • AvScanType: The type of antivirus scan you are interested in, which can be "Quick," "Full," or "Custom."

  2. Data Source: It queries the DeviceTvmInfoGathering table, which contains information about devices.

  3. Filtering: The query filters the data to only include records where the DeviceId matches the DeviceIdInput.

  4. Extracting Scan Results: It extracts the antivirus scan results from a JSON field called AdditionalFields.AvScanResults.

  5. Expanding Results: The results are expanded to handle multiple entries, if any.

  6. Selecting Specific Scan Type: It selects the results corresponding to the specified AvScanType.

  7. Extracting Details: From the selected results, it extracts specific details:

    • ScanStatus: The status of the scan.
    • ErrorCode: Any error codes associated with the scan.
    • Timestamp: The time when the scan was conducted.

  8. Filtering Non-Empty Results: It ensures that only records with a non-empty ScanStatus are included.

  9. Output: Finally, it projects (selects) the relevant fields to display: DeviceId, DeviceName, ScanStatus, Timestamp, ErrorCode, and the full AvScanResults.

The function is then called with a specific DeviceId and scan type "Full" to retrieve the full scan results for that device.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 9, 2024

Tables

DeviceTvmInfoGathering

Keywords

DeviceTvmInfoGatheringAdditionalFieldsAvScanResultsResultsScanStatusErrorCodeTimestampDeviceName

Operators

let|==extendextractjsontostringmv-expandtodynamicwhereisnotemptyproject

Actions