KQL Search

This query is designed to generate a report listing all devices where a full antivirus scan has never been successfully completed. Here's a breakdown of what the query does:

1. Data Source: It starts by looking at the DeviceEvents table, which contains records of various events related to devices.

2. Filter Events: It filters the events to only include those where the action type is either "AntivirusScanCompleted" or "AntivirusScanCancelled". These events indicate whether an antivirus scan was completed or canceled.

3. Extract Additional Information: It extracts additional details from a field named AdditionalFields by converting it into a JSON format. From this JSON, it specifically pulls out the ScanTypeIndex, which indicates the type of scan performed.

4. Focus on Full Scans: It further filters the data to only include events where the scan type was "Full", meaning it was a comprehensive antivirus scan.

5. Summarize by Device: It groups the data by DeviceId and DeviceName, creating a set of action types (make_set(ActionType)) for each device. This set will show whether a full scan was completed or canceled.

6. Identify Devices with No Successful Full Scans: Finally, it filters the results to only include devices where the set of action types does not contain "AntivirusScanCompleted". This means that for these devices, a full antivirus scan has never been successfully completed.

In summary, the query identifies devices that have attempted full antivirus scans but have never successfully completed one.