Scanning Report using MS Defender.

I am trying to create a report that will give me current AVscan status and timestamp, last time AVscan status with timestamp, ActionType and StartedBy.

DeviceEvents

| where ActionType has_any (“AntivirusScanCancelled”, “AntivirusScanCompleted”)

| extend AdditionalFields = todynamic(AdditionalFields)

| extend ScanType = AdditionalFields.[“ScanTypeIndex”], StartedBy= AdditionalFields.[“User”]

| extend ServerName = extract(“([^.]+)\.(.+)”, 1, DeviceName)

| extend Domain = extract(“([^.]+)\.(.+)”, 2, DeviceName)

| project Timestamp, ServerName, Domain, ActionType, ScanType, StartedBy

Above query giving me a lot of devices where i am trying to get distinct values for the devices with last AV scan. Looking for better advise on that query please.

I am trying to create a report that will give me current AVscan status and timestamp, last time AVscan status with timestamp, ActionType and StartedBy.DeviceEvents| where ActionType has_any (“AntivirusScanCancelled”, “AntivirusScanCompleted”)| extend AdditionalFields = todynamic(AdditionalFields)| extend ScanType = AdditionalFields.[“ScanTypeIndex”], StartedBy= AdditionalFields.[“User”]| extend ServerName = extract(“([^.]+)\.(.+)”, 1, DeviceName)| extend Domain = extract(“([^.]+)\.(.+)”, 2, DeviceName)| project Timestamp, ServerName, Domain, ActionType, ScanType, StartedByAbove query giving me a lot of devices where i am trying to get distinct values for the devices with last AV scan. Looking for better advise on that query please. Read More

Cart

Cart