KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Network Events Baseline Report Id Dedupe

Query

## Linux – Network Events Baseline (ReportId Dedupe) – Last 24h

### Purpose

This is your **network hunting baseline**. It preserves fidelity while removing only *true* duplicate records.

### Query

```kql
let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| summarize arg_max(Timestamp, *) by DeviceId, ReportId
| order by Timestamp desc
```

### Use this for

* Identifying unexpected outbound connections
* Spotting command‑line driven egress (e.g. `curl`, `wget`)
* Detecting early C2‑like behaviour
* Validating Network Protection coverage

### Typical activity you’ll see

* HTTPS requests to public IPs
* Package repository traffic
* Script‑driven uploads / downloads
* Occasional inbound connections (SSH, services)

Explanation

This query is designed to help you monitor network activities on Linux devices over the past 24 hours. Here's a simple breakdown of what it does:

  1. Identify Linux Devices: It first creates a list of unique device IDs for devices running the Linux operating system.

  2. Filter Network Events: It then looks at network events from the last 24 hours, focusing only on those involving the Linux devices identified earlier.

  3. Remove Duplicates: For each device and report combination, it keeps only the most recent event, ensuring that only unique records are preserved.

  4. Sort by Time: Finally, it orders these events by their timestamp, showing the most recent events first.

This query is useful for detecting unusual network activities, such as unexpected outbound connections, command-line driven data transfers, and potential early signs of command and control (C2) behavior. It also helps in verifying if network protection measures are effectively covering these devices. Typical activities you might observe include HTTPS requests to public IPs, traffic related to package repositories, and script-driven uploads or downloads. Occasionally, you might also see inbound connections like SSH or other services.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceNetworkEvents

Keywords

LinuxNetworkEventsDeviceInfoTimestampReportId

Operators

let|where==distinctinsummarizearg_maxbyorder bydesc>ago

Actions