Microsoft Defender for Endpoint provides powerful antivirus scanning capabilities, but how do you ensure that full scans are occurring regularly across all devices? With Log Analytics, you can track antivirus scans, analyze trends, and take action if full scans are not happening often enough.

In this post, we’ll walk through how to use Kusto Query Language (KQL) to pull Defender Antivirus scan reports, interpret the data, and adjust configurations to ensure optimal security coverage.

1. Enable Data Collection from Defender for Endpoint

To start logging Defender scan events, you need to configure Microsoft Defender for Endpoint to send data to Log Analytics.

Step 1: Configure Defender Data Streaming

1. Go to Microsoft Defender Portal
   • Open Microsoft Defender Security Center.
   • Navigate to Settings > Endpoints > Advanced features.
   • Enable Microsoft Defender for Endpoint Raw Data Streaming.
2. Enable Defender for Endpoint Data Connector in Sentinel
   If you’re using Microsoft Sentinel, you can enable the Defender for Endpoint connector:
   • Go to Microsoft Sentinel in the Azure portal.
   • Open your Sentinel workspace.
   • Under Data connectors, search for Microsoft Defender for Endpoint.
   • Click Open connector page and follow the steps to connect your Defender logs.

2. Querying Defender Antivirus Scans in Log Analytics

Once the data is being collected, you can use KQL queries to analyze Defender Antivirus scan events.

Basic KQL Query for Antivirus Scan Events

DeviceEvents

| where TimeGenerated >= ago(28d)

| where ActionType == “AntivirusScanCompleted”

| project DeviceName, TimeGenerated, ActionType, InitiatingProcessFileName, ScanType

What This Query Provides:

• DeviceName – The machine that performed the scan.
• TimeGenerated – When the scan was completed.
• ActionType – Confirms that it was an AntivirusScanCompleted event.
• InitiatingProcessFileName – The process that triggered the scan.
• ScanType – Indicates whether it was a Full Scan or Quick Scan.

3. Analyzing Scan Trends

Once you have this data, you can analyze trends to ensure that full scans are happening frequently enough.

Key Metrics to Monitor:

• Percentage of Full Scans vs. Quick Scans – Are full scans happening at least once per month per device?
• Last Full Scan Per Device – Identify devices that haven’t had a full scan recently.
• Devices Without Any Scans – Find endpoints that haven’t reported any scans in the past 30 days.
• Scan Duration and Frequency – Are scans taking too long or occurring too frequently?

KQL Query to Count Full vs. Quick Scans:

DeviceEvents

| where TimeGenerated >= ago(28d)

| where ActionType == “AntivirusScanCompleted”

| summarize ScanCount=count() by ScanType

This query helps identify if Full Scans are underrepresented, indicating that endpoints might not be adequately checked for threats.

4. What to Do If Full Scans Are Not Happening Enough

If full scans are too infrequent, here’s how you can adjust your security posture:

1. Check Defender Antivirus Policies in Intune or Group Policy

Ensure your policies enforce regular full scans. In Microsoft Intune, navigate to:

• Endpoint Security > Antivirus > Select a policy > Review the scan schedule.

To check the current scan schedule on an endpoint using PowerShell:

Get-MpPreference | Select-Object Scan* | Format-Table -AutoSize

If ScanFullMaxScanAge is too high, adjust it to enforce full scans more frequently.

2. Use Defender for Endpoint Advanced Hunting

Go to Microsoft Defender Security Center > Advanced Hunting and use KQL queries to track scan behavior over time.

DeviceEvents

| where ActionType == “AntivirusScanCompleted”

| summarize FullScans=countif(ScanType == “Full Scan”), QuickScans=countif(ScanType == “Quick Scan”) by bin(TimeGenerated, 1d)

This query will show a daily count of Full vs. Quick scans.

3. Automate Alerts for Missing Full Scans

Set up Azure Monitor alerts to notify security teams if full scans are not happening regularly. You can create an alert based on this query:

DeviceEvents

| where TimeGenerated >= ago(14d)

| where ActionType == “AntivirusScanCompleted”

| where ScanType == “Full Scan”

| summarize DeviceCount=dcount(DeviceName)

Trigger an alert if DeviceCount is lower than expected.

5. Simulated Full Scan Coverage Chart

Below is a chart showing the percentage of Full Scans vs. Quick Scans across different devices.

How to Adjust If Full Scans Are Too Low:

1. Check Scan Scheduling Policies – Ensure full scans are scheduled at least weekly via Intune or Group Policy.
2. Review Device Performance Constraints – Some endpoints may be skipping full scans due to CPU/memory constraints.
3. Automate Alerts in Sentinel – Set alerts for devices that haven’t had a full scan in over 30 days.

Conclusion

By leveraging Log Analytics and KQL, you can gain visibility into Defender Antivirus scans, track scan frequency, and take action to ensure full scans occur as needed. Regular full scans are critical for detecting and mitigating malware, so monitoring them should be a core part of your security strategy.

Have you used Log Analytics to track Defender Antivirus scans? Let us know your insights and best practices!