Query Details

Windows Recent Devices Missing Full Scan

Query

// All credit goes to Felix Brand - Taken from his post (https://www.linkedin.com/posts/felix-brand_defenderxdr-kql-microsoft-activity-7228749401849040896-0sNk)
// Microsoft now recommends (https://lnkd.in/ewBryvhF) to have one initial full scan when you onboard your system into MDE. But MDE does not trigger a full scan after onboarding, this KQL query combined with a custom detection rule can trigger a scan. 
// Once a scan is completed on an endpoint, it will not appear in this query again.

let AvModeDescription = dynamic({"0":"Normal", "1":"Passive", "4":"EDR Block"});
let TimeRange = ago(1d);
DeviceTvmInfoGathering
| where Timestamp > TimeRange
| extend AdditionalFields = parse_json(AdditionalFields)
| extend AvMode =  tostring(AvModeDescription[tostring(AdditionalFields.["AvMode"])])
| extend FullScanStatus = coalesce(extractjson("$.Full.ScanStatus", tostring(AdditionalFields.AvScanResults)),"Not available")
| where isnotempty( AvMode ) and AvMode has "Normal"
| where FullScanStatus !has "Completed"
| join DeviceEvents on DeviceName
| summarize arg_max(Timestamp, *) by DeviceName, DeviceId
| project DeviceName, DeviceId, FullScanStatus, ReportId, Timestamp
| take 50

Explanation

This KQL query is designed to identify devices that have not completed a full antivirus scan after being onboarded into Microsoft Defender for Endpoint (MDE). Here's a simplified breakdown of what the query does:

  1. Define Descriptions: It sets up a mapping for antivirus modes, translating numeric codes to human-readable descriptions like "Normal," "Passive," and "EDR Block."

  2. Set Time Range: It looks at data from the past day (ago(1d)).

  3. Filter Data: The query pulls data from DeviceTvmInfoGathering, focusing on records where:

    • The antivirus mode is "Normal."
    • The full scan status is not "Completed."
  4. Join with Device Events: It combines this data with DeviceEvents based on the device name to gather more information.

  5. Summarize and Select: It selects the most recent record for each device and extracts relevant fields like device name, device ID, full scan status, report ID, and timestamp.

  6. Limit Results: Finally, it limits the output to 50 devices.

In essence, this query helps identify up to 50 devices that need a full antivirus scan because they haven't completed one yet, which is important for maintaining security after onboarding into MDE.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 12, 2026

Tables

DeviceTvmInfoGatheringDeviceEvents

Keywords

DeviceTvmInfoGatheringTimestampAdditionalFieldsAvModeDescriptionScanResultsEventsNameIdReport

Operators

letdynamicago|whereextendparse_jsontostringcoalesceextractjsonisnotemptyhas!hasjoinsummarizearg_maxbyprojecttake

Actions

GitHub