Linux File Activity Baseline
Query
let LinuxDeviceIds =
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceFileEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| project
Timestamp,
DeviceName,
ActionType,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
ReportId
| order by Timestamp desc
| take 200About this query
Linux – File Activity Baseline – Last 24h
Purpose
Provides visibility into file system activity, which is critical for Linux threat hunting due to heavy use of staging directories.
Query
Use this for
- Detecting file drops and clean‑up activity
- Identifying abuse of
/tmp,/var/tmp, or home directories - Correlating file writes with suspicious processes
- Hunting installer‑style malware or tooling
Typical activity you’ll see
- File creation in
/tmp - Renames of staged binaries
- Script output files
- Temporary archive extraction
Explanation
This query is designed to monitor and analyze file system activities on Linux devices over the past 24 hours. It helps in identifying potential security threats by focusing on how files are being used and manipulated. Here's a simple breakdown of what the query does:
-
Identify Linux Devices: It first gathers a list of device IDs that are running the Linux operating system.
-
Filter Recent File Events: It then looks at file events that have occurred in the last 24 hours on these Linux devices.
-
Select Relevant Information: The query extracts specific details about each file event, such as the time it happened, the device name, the type of action performed (like file creation or deletion), the file name and path, and any process that initiated the action.
-
Sort and Limit Results: The results are sorted by the most recent events and limited to the top 200 entries for easier analysis.
This query is particularly useful for:
- Detecting when files are added or removed, especially in directories commonly used for temporary storage or staging, like
/tmpor/var/tmp. - Identifying unusual or suspicious file activities that might indicate malicious behavior, such as malware installation or execution.
- Correlating file changes with processes that might be performing unauthorized actions.
Typical activities you might observe include the creation of files in temporary directories, renaming of files, output from scripts, or extraction of temporary archives. These insights are crucial for threat hunting and maintaining the security of Linux systems.
Details

Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators