KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Action Type Inventory All Tables

Query

## Linux – ActionType Inventory (All Tables) – Last 24h

### Purpose

This is your **capability discovery query**. It tells you *what Linux telemetry exists* in your tenant and *which tables back the device timeline*.

### Query

```kql
let LinuxDeviceIds = materialize(
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId
);
union
(
    DeviceEvents
    | where Timestamp > ago(24h)
    | where DeviceId in (LinuxDeviceIds)
    | project ActionType, Table="DeviceEvents"
),
(
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where DeviceId in (LinuxDeviceIds)
    | project ActionType, Table="DeviceProcessEvents"
),
(
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where DeviceId in (LinuxDeviceIds)
    | project ActionType, Table="DeviceNetworkEvents"
),
(
    DeviceLogonEvents
    | where Timestamp > ago(24h)
    | where DeviceId in (LinuxDeviceIds)
    | project ActionType, Table="DeviceLogonEvents"
),
(
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where DeviceId in (LinuxDeviceIds)
    | project ActionType, Table="DeviceFileEvents"
)
| summarize Events=count() by Table, ActionType
| order by Table asc, Events desc
```

### Use this for

* Reconciling timeline events with hunting tables
* Understanding Linux telemetry coverage
* Discovering new ActionTypes after agent updates
* Deciding where to hunt for specific behaviours

Explanation

This query is designed to help you understand the types of Linux-related telemetry data available in your system over the past 24 hours. It focuses on identifying the different types of actions (ActionTypes) recorded in various tables that track device activities. Here's a breakdown of what the query does:

  1. Identify Linux Devices: It first creates a list of device IDs for devices running the Linux operating system by filtering the DeviceInfo table.

  2. Collect Events: It then gathers events from five different tables (DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceLogonEvents, and DeviceFileEvents) that have occurred in the last 24 hours and are associated with the identified Linux devices.

  3. Project Relevant Data: For each event, it extracts the ActionType and notes which table the event came from.

  4. Summarize and Order: The query summarizes the data by counting the number of events for each ActionType within each table. It then orders the results by table name and the number of events in descending order.

Purpose and Use:

  • Reconciling Timeline Events: Helps align events with the appropriate tables for investigation.
  • Understanding Coverage: Provides insight into what types of Linux telemetry data are being collected.
  • Discovering New ActionTypes: Identifies new types of actions that may appear after updates to the monitoring agent.
  • Hunting for Behaviors: Assists in deciding which tables to investigate for specific behaviors or incidents.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceEventsDeviceProcessEventsDeviceNetworkEventsDeviceLogonEventsDeviceFileEvents

Keywords

LinuxDevicesTelemetryEventsTimelineTablesActionTypeCoverageAgentUpdatesBehaviours

Operators

letmaterializewhere==distinctunioninprojectsummarizecountbyorder byascdescago

Actions