Query Details
Latest Antivirus Scan Status
Query
# Latest Antivirus Scan Status
## Query Information
#### Description
This query lists the latest completed antivirus scan for each device. The query filters all devices that have performed a successful scan today.
#### Risk
The Defender sensor is not working corretly and might not be able to idenfity suspicious behaviour.
#### References
- https://cloudbrothers.info/antivirus-scan-complete/
## Defender For Endpoint
```KQL
DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| summarize arg_max(Timestamp, *) by DeviceId
| extend ScanType = tostring(parse_json(AdditionalFields).ScanTypeIndex),
DaysAgo = datetime_diff('day', now(), Timestamp)
| project DeviceName, ActionType, ScanType, DaysAgo
// Filter only devices that have not performed a antivirus scan in the last day
| where DaysAgo > 0
| sort by DaysAgo
```
## Sentinel
```KQL
DeviceEvents
| where ActionType == "AntivirusScanCompleted"
| summarize arg_max(TimeGenerated, *) by DeviceId
| extend ScanType = tostring(parse_json(AdditionalFields).ScanTypeIndex),
DaysAgo = datetime_diff('day', now(), Timestamp)
| project DeviceName, ActionType, ScanType, DaysAgo
// Filter only devices that have not performed a antivirus scan in the last day
| where DaysAgo > 0
| sort by DaysAgo
```Explanation
This query retrieves the latest completed antivirus scan status for each device. It filters devices that have successfully scanned today. The query helps identify if the Defender sensor is functioning properly and able to detect suspicious behavior. It provides information such as device name, action type, scan type, and the number of days since the last scan. The query is available for both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: December 1, 2023
Tables
DeviceEvents
Keywords
Devices,Intune,User
Operators
wheresummarizearg_maxbyextendtostringparse_jsondatetime_diffnowprojectsort