KQL Search

Query Details

HomeAI ToolsDevice Query

Device Find Device Without Current AV Scan

Query

// Devices without successful AV scan in the last n days
// As of 27.01.2022 only the following platforms are support
// Windows10, Windows10WVD, Windows11, WindowsServer2012R2, WindowsServer2016, WindowsServer2019, WindowsServer2022

//Data connector required for this query - Advanced Hunting license
//Query only works in Advanced Hunting

let Timerange = 14d;
DeviceInfo
| where OnboardingStatus == "Onboarded"
| where isnotempty( OSVersion)
| where Timestamp > ago(Timerange)
| summarize LastSeen = arg_max(Timestamp, *) by DeviceId
| extend LastSuccessfulAVScan = strcat("Not in the last ",format_timespan(Timerange,'d')," days")
| project LastSeen, DeviceId, DeviceName, MachineGroup, OSPlatform, OSVersion, DeviceType, LastSuccessfulAVScan, JoinType
// use rightsemi to return all devices that had a successful AV scan in the last n days
// use leftanti to return all devices that NOT had a successful AV scan in the last n days
| join kind=leftanti (
    DeviceEvents
    | where ActionType == "AntivirusScanCompleted"
    | where Timestamp > ago(Timerange)
    | summarize LastSuccessfulAVScan = max(Timestamp) by DeviceName, DeviceId
    | join kind=innerunique (
        DeviceInfo
        | where isnotempty( OSVersion )
    ) on DeviceId
    | summarize LastSeen = arg_max(Timestamp,*) by DeviceName
    | project LastSeen, DeviceId, DeviceName, MachineGroup, OSPlatform, OSVersion, DeviceType, LastSuccessfulAVScan, JoinType
) on DeviceId
| where OSPlatform in ("Windows10","Windows10WVD","Windows11","WindowsServer2012R2","WindowsServer2016","WindowsServer2019","WindowsServer2022")
| sort by DeviceType, MachineGroup, OSPlatform

Explanation

This query is looking for devices that have not had a successful antivirus scan in the last n days. It filters for devices that are onboarded and have a non-empty OS version. It then joins the DeviceInfo table with the DeviceEvents table to find devices that have not had a successful antivirus scan. The query only includes devices with specific operating systems (Windows 10, Windows 10 WVD, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022). The results are sorted by device type, machine group, and operating system platform.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceInfoDeviceEvents

Keywords

Devices,Intune,User

Operators

whereisnotemptyagosummarizearg_maxextendstrcatprojectjoinkindwheremaxinneruniqueonwhereisnotemptysummarizearg_maxprojectonwhereinsort by

Actions