KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Antivirus Activity

Query

## Linux – Antivirus Activity – Last 7d

### Purpose

Provides **visibility into Defender AV enforcement**, including malware and PUA detections.

### Query

```kql
let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceEvents
| where Timestamp > ago(7d)
| where DeviceId in (LinuxDeviceIds)
| where ActionType startswith "Antivirus"
| extend AF = parse_json(AdditionalFields)
| project
    Timestamp,
    DeviceName,
    ActionType,
    ThreatName = tostring(AF.ThreatName),
    FileName,
    FolderPath,
    WasRemediated = tostring(AF.WasRemediated),
    ReportId
| order by Timestamp desc
```

### Use this for

* Validating PUA block mode effectiveness
* Investigating why a binary was blocked
* Tracking AV detections across Linux hosts
* Supporting security exception decisions

### Typical activity you’ll see

* Malware detections
* PUA detections (block mode only)
* Scan reports

Explanation

This query is designed to provide insights into antivirus activities on Linux devices over the past seven days. It specifically focuses on events related to Microsoft Defender Antivirus enforcement, such as malware and potentially unwanted application (PUA) detections. Here's a breakdown of what the query does:

  1. Identify Linux Devices: It first identifies all devices running on the Linux operating system by filtering the DeviceInfo table for entries where the OSPlatform is "Linux". It then collects the unique DeviceId values for these devices.

  2. Filter Device Events: The query then looks at the DeviceEvents table to find events from the past seven days (Timestamp > ago(7d)) that are associated with the identified Linux devices. It specifically filters for events where the ActionType starts with "Antivirus", indicating they are related to antivirus activities.

  3. Extract and Present Data: For each relevant event, it extracts and presents several pieces of information:

    • Timestamp: When the event occurred.
    • DeviceName: The name of the device where the event was recorded.
    • ActionType: The type of antivirus action taken.
    • ThreatName: The name of the detected threat, extracted from the AdditionalFields.
    • FileName and FolderPath: The file and location involved in the event.
    • WasRemediated: Whether the threat was successfully remediated, also extracted from the AdditionalFields.
    • ReportId: An identifier for the report.

  4. Order Results: The results are ordered by the Timestamp in descending order, so the most recent events appear first.

Use Cases

  • Validating PUA Block Mode: Check if potentially unwanted applications are being effectively blocked.
  • Investigating Blocked Binaries: Understand why certain binaries were blocked by the antivirus.
  • Tracking AV Detections: Monitor antivirus detections across Linux devices.
  • Supporting Security Decisions: Provide data to help make informed security exception decisions.

Typical Observations

  • You might see records of malware detections.
  • There could be detections of potentially unwanted applications, especially if block mode is enabled.
  • Scan reports detailing the findings of antivirus scans.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceEvents

Keywords

LinuxDevicesAntivirusMalwarePUADetectionsSecurity

Operators

let|where==distinctinstartswithextendparse_jsonprojecttostringorder bydescago

Actions