Microsoft Defender's Advenced Hunting: A Personal KQL Query List
Posted on October 8, 2025 • 1 minutes • 180 words
Table of contents
This page contains personal queries for Microsoft Defender’s Advanced Hunting. A personal test tenant with E5 license package is used for the execution. The test tenant typically includes a Windows Server 2022, an Ubuntu server, a Windows 11 device, and a Mac device.
This page will be updated over time.
The list, like other content on this website, aims to contribute to defense in cyberspace.
Since EDR Onboarded No Full Scan Performed Device List
This query combines the DeviceInfo and DeviceTvmInfoGathering schemas using DeviceId, and filters for devices marked as Onboarded. Then, the AdditionalFields column is parsed three times to extract the Full Scan Status value, which is visible on the Device pages within Microsoft Defender.
DeviceTvmInfoGathering
| where Timestamp > ago(30d)
| join kind=inner (
DeviceInfo
| where OnboardingStatus == "Onboarded"
| project DeviceId, OSPlatform
) on DeviceId
| extend AvScanResults = parse_json(AdditionalFields.AvScanResults)
| where AvScanResults != ""
| extend FullScanStatus = parse_json(tostring(parse_json(tostring(parse_json(AdditionalFields).AvScanResults)).Full)).ScanStatus
| extend FullScanTimestamp = parse_json(tostring(parse_json(tostring(parse_json(AdditionalFields).AvScanResults)).Full)).Timestamp
| where FullScanTimestamp == ""
| distinct DeviceName, OSPlatform
The query parses the EDR full scan status from a device log:
