Query Details
Defender Antivirus Scan Report
Query
name : defender antivirus scan report description : - --- Microsoft Defender Antivirus --- - Case1 - Daily "Quick scan" by count list - Case2 - Daily "Full scan" count list - Case3 - Daily "Quick" or "Full" scan time list table : - DeviceEvents - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide query: | //Case1 - Daily "Quick scan" by count list DeviceEvents | where Timestamp > ago(1d) | where ActionType == "AntivirusScanCompleted" | extend ScanType =parse_json(AdditionalFields) | where ScanType.ScanTypeIndex == "Quick" | summarize count() by tostring(DeviceName) //Case2 - Daily "Full scan" count list DeviceEvents | where Timestamp > ago(1d) | where ActionType == "AntivirusScanCompleted" | extend ScanType =parse_json(AdditionalFields) | where ScanType.ScanTypeIndex == "Full" | summarize count() by tostring(DeviceName) //Case3 - Daily "Quick" or "Full" scan time list DeviceEvents | where Timestamp > ago(1d) | where ActionType == "AntivirusScanCompleted" | extend ScanType =parse_json(AdditionalFields) | where ScanType.ScanTypeIndex == "Quick" //| where ScanType.ScanTypeIndex == "Full" | summarize make_list(Timestamp) by tostring(DeviceName)
Explanation
The query is retrieving information about the daily antivirus scan activities performed by Microsoft Defender Antivirus.
Case 1: It counts the number of "Quick scans" performed each day for each device. Case 2: It counts the number of "Full scans" performed each day for each device. Case 3: It lists the timestamps of both "Quick" and "Full" scans performed each day for each device.
Details
Kijo Girardi
Released: January 30, 2023
Tables
DeviceEvents
Keywords
DeviceEvents,Timestamp,ActionType,AdditionalFields,ScanTypeIndex,DeviceName
Operators
toscalar()arg_max()count()mv-expandwhereextendsummarizeparse_json()