KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Network Fanout From The Upload Process

Query

### Pivot A – Network fan‑out from the upload process

## Follow‑up pivots (recommended)

Use this when pivoting from the **Linux – Archive Command Followed by Upload Egress** query. They are strongly recommended to understand scope and intent.

* **Update the device name** in the `Device` variable to match the Linux host you want to investigate.
* **Adjust the time window** `(datetime(2026-01-30T15:00:00Z) .. datetime(2026-01-30T15:10:00Z))` if you are looking at older activity or want to narrow the scope during triage.

Use this pivot to identify:

* Multiple upload destinations
* CDN or mirror fan‑out
* Additional data transfers

```kql
// Update DeviceName and time window as required
DeviceNetworkEvents
| where Timestamp between (datetime(2026-01-30T15:00:00Z) .. datetime(2026-01-30T15:10:00Z))
| where DeviceName =~ "DeviceNameHere"
| where InitiatingProcessCommandLine has "file=@"
| project Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

(Adjust timestamps based on the initial hit.)

Explanation

This query is designed to help you investigate network activity related to file uploads from a specific Linux device. Here's a simple breakdown of what it does:

  1. Filter by Time and Device: It looks at network events from a particular device within a specified 10-minute time window. You need to replace "DeviceNameHere" with the actual name of the device you're investigating and adjust the time window as needed.

  2. Focus on Upload Processes: It specifically filters for network events where the command line includes "file=@", which suggests a file upload process.

  3. Extract Key Information: The query retrieves and displays important details such as the timestamp of the event, the remote IP address and port involved in the connection, and the command line details of the process that initiated the upload.

  4. Sort by Time: The results are ordered by timestamp in descending order, so the most recent events appear first.

This query helps you identify multiple upload destinations, potential content delivery networks (CDNs) or mirrors involved, and any additional data transfers initiated by the upload process. Adjust the device name and time window to suit your investigation needs.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampDeviceNameRemoteIPRemotePortInitiatingProcessFileNameInitiatingProcessCommandLine

Operators

between=~hasprojectorder bydesc

Actions