KQL Search

Query Details

HomeAI ToolsDevice Query

Linux File Activity Baseline

Query

## Linux – File Activity Baseline – Last 24h

### Purpose

Provides **visibility into file system activity**, which is critical for Linux threat hunting due to heavy use of staging directories.

### Query

```kql
let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceFileEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| project
    Timestamp,
    DeviceName,
    ActionType,
    FileName,
    FolderPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId
| order by Timestamp desc
| take 200
```

### Use this for

* Detecting file drops and clean‑up activity
* Identifying abuse of `/tmp`, `/var/tmp`, or home directories
* Correlating file writes with suspicious processes
* Hunting installer‑style malware or tooling

### Typical activity you’ll see

* File creation in `/tmp`
* Renames of staged binaries
* Script output files
* Temporary archive extraction

Explanation

This query is designed to monitor and analyze file system activities on Linux devices over the past 24 hours. It helps in identifying potential security threats by focusing on how files are being used and manipulated. Here's a simple breakdown of what the query does:

  1. Identify Linux Devices: It first gathers a list of device IDs that are running the Linux operating system.

  2. Filter Recent File Events: It then looks at file events that have occurred in the last 24 hours on these Linux devices.

  3. Select Relevant Information: The query extracts specific details about each file event, such as the time it happened, the device name, the type of action performed (like file creation or deletion), the file name and path, and any process that initiated the action.

  4. Sort and Limit Results: The results are sorted by the most recent events and limited to the top 200 entries for easier analysis.

This query is particularly useful for:

  • Detecting when files are added or removed, especially in directories commonly used for temporary storage or staging, like /tmp or /var/tmp.
  • Identifying unusual or suspicious file activities that might indicate malicious behavior, such as malware installation or execution.
  • Correlating file changes with processes that might be performing unauthorized actions.

Typical activities you might observe include the creation of files in temporary directories, renaming of files, output from scripts, or extraction of temporary archives. These insights are crucial for threat hunting and maintaining the security of Linux systems.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceFileEvents

Keywords

LinuxDevicesFileSystemActivity

Operators

letwheredistinctinprojectorder bytake

Actions