Linux Telemetry Validation Test Process
Query
// Adjust timestamp to expand time window
let LinuxDeviceIds =
DeviceInfo
| where OSPlatform == "Linux"
| summarize arg_max(Timestamp, DeviceId, DeviceName) by DeviceId
| project DeviceId, DeviceName;
DeviceProcessEvents
| where Timestamp > ago(1h)
| where DeviceId in (LinuxDeviceIds)
| project
Timestamp,
DeviceName,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
ReportId
| order by Timestamp desc
| take 100About this query
Linux – Telemetry Validation Test (Process) – Last 1h
Purpose
This is your primary “is EDR alive?” query for Linux. If this returns data, core Linux telemetry (eBPF → process execution) is flowing correctly.
Query
Use this for
- Validating a newly onboarded Linux device
- Confirming telemetry after agent upgrades
- Confirming kernel / eBPF support is functional
- Proving to yourself (or others) that Linux EDR is actually collecting data
Typical activity you’ll see
bash,sh,zshexecutions- Package managers (
apt,dnf,yum) - CLI tools (
curl,wget,python,node) - Parent/child execution chains
Explanation
This query is designed to check if Endpoint Detection and Response (EDR) is functioning correctly on Linux devices by verifying that process execution telemetry is being collected. Here's a simplified breakdown of what the query does:
-
Identify Linux Devices: It first identifies all devices running Linux by checking the
DeviceInfotable for entries where the operating system platform is "Linux". It then selects the most recent record for each device to get the latestDeviceIdandDeviceName. -
Filter Recent Process Events: It looks at the
DeviceProcessEventstable for process events that have occurred in the last hour (Timestamp > ago(1h)) and are associated with the identified Linux devices. -
Select Relevant Data: The query extracts specific details about each process event, such as the time it occurred, the device name, the file name of the process, the folder path, the command line used to start the process, and details about the initiating process.
-
Order and Limit Results: The results are sorted by the most recent events (
order by Timestamp desc) and limited to the top 100 entries.
Use Cases
- Validating New Devices: Ensures that newly added Linux devices are reporting telemetry correctly.
- Post-Upgrade Checks: Confirms that telemetry is still being collected after agent upgrades.
- Kernel/eBPF Support: Verifies that the kernel and eBPF (extended Berkeley Packet Filter) support is functioning as expected.
- Proof of Data Collection: Provides evidence that Linux EDR is actively collecting data.
Expected Activity
You might see executions of common shell environments like bash, sh, or zsh, package managers like apt, dnf, or yum, and command-line tools such as curl, wget, python, or node. Additionally, you may observe parent/child process execution chains, indicating normal system activity.
Details

Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators