Query Details
MDAV Scan Status None Cancelled Full Scans
Query
//This query returns devices seen within the last day where a full scan has never run or was cancelled
//Results can be used with "Take action" button to trigger full scans on selected devices
DeviceEvents
| where ActionType has_any ("AntivirusScanCompleted", "AntivirusScanCancelled")
| extend AdditionalFields = parse_json(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"]
| where ScanType == "Full"
| summarize make_set(ActionType) by DeviceId, DeviceName
| where set_ActionType !has ("AntivirusScanCompleted") Explanation
This query identifies devices that have been observed in the last day where a full antivirus scan has either never been completed or was cancelled. It can be used to trigger full scans on these devices. Here's a breakdown of what the query does:
-
Data Source: It starts by looking at the
DeviceEventstable. -
Filter Events: It filters for events where the action type is either "AntivirusScanCompleted" or "AntivirusScanCancelled".
-
Extract Scan Type: It parses the
AdditionalFieldscolumn to extract theScanTypeIndex, which indicates the type of scan. -
Filter for Full Scans: It further filters the data to only include events where the scan type is "Full".
-
Summarize by Device: It groups the data by
DeviceIdandDeviceName, creating a set of action types for each device. -
Identify Incomplete Scans: Finally, it filters the results to find devices where the set of action types does not include "AntivirusScanCompleted", meaning a full scan was never successfully completed.
Details
User Submission
Released: November 10, 2024
Tables
Keywords
Operators