KQL Search

Query Details

Visualization Antivirus Events By Day

Query

# Antivirus Detections by day

#### Description
This query visualizes the daily antivirus detections, which can give an indication in anomalous amount of activities that are performed in your environment. 


## Defender For Endpoint
```
DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == 'AntivirusDetection'
| summarize count() by bin(Timestamp, 1d)
| render linechart with(title="Antivirus Detections by Day")
```
## Sentinel
```
DeviceEvents
| where TimeGenerated > ago(30d)
| where ActionType == 'AntivirusDetection'
| summarize count() by bin(TimeGenerated, 1d)
| render linechart with(title="Antivirus Detections by Day")
```

Explanation

The query retrieves data on antivirus detections and visualizes it in a line chart. It counts the number of antivirus detections per day over the past 30 days and groups them into daily bins. The chart helps identify any unusual or abnormal activities in the environment. The query is written in two versions, one for Defender for Endpoint and another for Sentinel.

Details

Bert-Jan Pals

Released: July 12, 2023

Tables

DeviceEvents

Keywords

AntivirusDetection,DeviceEvents,Timestamp,ActionType,count(),bin(),render,linechart,TimeGenerated

Operators

whereago==summarizecount()bybinrender

KQL Search

Visualization Antivirus Events By Day

Query

Explanation

Details

Actions