KQL Search

Query Details

Manual Antivirus Scans

Query

# List Antivirus Scan Activities

## Query Information

### Description
This query lists all manual (and playbook related) anvitius actions that are initiated and the related comments per device.

### References
- https://learn.microsoft.com/en-us/defender-endpoint/mdav-scan-best-practices

## Defender For Endpoint
```
CloudAppEvents
| where ActionType == "RunAntiVirusScan"
| extend DeviceName = tostring(parse_json(RawEventData).DeviceName), ActionComment = tostring(parse_json(RawEventData).ActionComment), ActionScope = tostring(parse_json(RawEventData).ActionScope)
| summarize TotalAntivirusScans = count(), ScanTypes = make_set(ActionScope), Comments = make_set(ActionComment) by DeviceName
```
## Sentinel
```
CloudAppEvents
| where ActionType == "RunAntiVirusScan"
| extend DeviceName = tostring(parse_json(RawEventData).DeviceName), ActionComment = tostring(parse_json(RawEventData).ActionComment), ActionScope = tostring(parse_json(RawEventData).ActionScope)
| summarize TotalAntivirusScans = count(), ScanTypes = make_set(ActionScope), Comments = make_set(ActionComment) by DeviceName
```

Explanation

This query lists all manual and playbook-related antivirus scan activities initiated on devices, along with related comments. It summarizes the total number of antivirus scans, types of scans, and comments per device.

Details

Bert-Jan Pals

Released: June 4, 2024

Tables

CloudAppEvents

Keywords

CloudAppEvents,ActionType,RunAntiVirusScan,DeviceName,ActionComment,ActionScope,TotalAntivirusScans,ScanTypes,Comments.

Operators

whereextendtostringparse_jsonsummarizecountmake_set

KQL Search

Manual Antivirus Scans

Query

Explanation

Details

Actions