KQL Search

Query Details

HomeAI ToolsDevice Query

Linux Telemetry Validation Test Process

Query

## Linux – Telemetry Validation Test (Process) – Last 1h

### Purpose

This is your **primary “is EDR alive?” query** for Linux. If this returns data, core Linux telemetry (eBPF → process execution) is flowing correctly.

### Query

```kql
// Adjust timestamp to expand time window
let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | summarize arg_max(Timestamp, DeviceId, DeviceName) by DeviceId
    | project DeviceId, DeviceName;
DeviceProcessEvents
| where Timestamp > ago(1h)
| where DeviceId in (LinuxDeviceIds)
| project
    Timestamp,
    DeviceName,
    FileName,
    FolderPath,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    ReportId
| order by Timestamp desc
| take 100
```

### Use this for

* Validating a newly onboarded Linux device
* Confirming telemetry after agent upgrades
* Confirming kernel / eBPF support is functional
* Proving to yourself (or others) that Linux EDR is *actually* collecting data

### Typical activity you’ll see

* `bash`, `sh`, `zsh` executions
* Package managers (`apt`, `dnf`, `yum`)
* CLI tools (`curl`, `wget`, `python`, `node`)
* Parent/child execution chains

Explanation

This query is designed to check if Endpoint Detection and Response (EDR) is functioning correctly on Linux devices by verifying that process execution telemetry is being collected. Here's a simplified breakdown of what the query does:

  1. Identify Linux Devices: It first identifies all devices running Linux by checking the DeviceInfo table for entries where the operating system platform is "Linux". It then selects the most recent record for each device to get the latest DeviceId and DeviceName.

  2. Filter Recent Process Events: It looks at the DeviceProcessEvents table for process events that have occurred in the last hour (Timestamp > ago(1h)) and are associated with the identified Linux devices.

  3. Select Relevant Data: The query extracts specific details about each process event, such as the time it occurred, the device name, the file name of the process, the folder path, the command line used to start the process, and details about the initiating process.

  4. Order and Limit Results: The results are sorted by the most recent events (order by Timestamp desc) and limited to the top 100 entries.

Use Cases

  • Validating New Devices: Ensures that newly added Linux devices are reporting telemetry correctly.
  • Post-Upgrade Checks: Confirms that telemetry is still being collected after agent upgrades.
  • Kernel/eBPF Support: Verifies that the kernel and eBPF (extended Berkeley Packet Filter) support is functioning as expected.
  • Proof of Data Collection: Provides evidence that Linux EDR is actively collecting data.

Expected Activity

You might see executions of common shell environments like bash, sh, or zsh, package managers like apt, dnf, or yum, and command-line tools such as curl, wget, python, or node. Additionally, you may observe parent/child process execution chains, indicating normal system activity.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceProcessEvents

Keywords

DeviceInfoDeviceProcessEventsLinuxDeviceIdsTimestampDeviceNameFileNameFolderPathProcessCommandLineInitiatingProcessFileNameInitiatingProcessCommandLineReportId

Operators

letwheresummarizearg_maxbyprojectinorder bytakeago

Actions