Linux Logon Activity

## Linux – Logon Activity – Last 24h ### Purpose Adds **user context** to Linux activity. Especially useful for SSH‑based investigations. ### Query ```kql let LinuxDeviceIds = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceLogonEvents | where Timestamp > ago(24h) | where DeviceId in (LinuxDeviceIds) | project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, LogonType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### Use this for * Investigating SSH access * Detecting unexpected interactive logons * Correlating user sessions with process or network activity ### Typical activity you’ll see * SSH logons * Local user sessions * Automation accounts

Explanation

This query is designed to help you investigate user logon activity on Linux devices over the past 24 hours, with a focus on SSH-based access. Here's a simple breakdown of what the query does:

Identify Linux Devices: It first identifies all devices running Linux by checking the operating system platform in the DeviceInfo table and collects their unique DeviceIds.
Filter Logon Events: It then looks at the DeviceLogonEvents table to find logon events that occurred within the last 24 hours on these Linux devices.
Select Relevant Information: For each logon event, it selects key details such as the timestamp, device name, action type, account name and domain, logon type, and information about the initiating process (like the file name and command line).
Sort the Results: Finally, it orders these events by timestamp in descending order, so the most recent logon activities appear first.

This query is particularly useful for investigating SSH access, detecting unexpected interactive logons, and correlating user sessions with other activities like process or network events. Typical activities you might see include SSH logons, local user sessions, and actions by automation accounts.

KQL Search

Linux Logon Activity

Query

Explanation

Details

Actions