Query Details
Linux Server Public Egress Baseline High Fidelity
Query
## Linux Server – Public Egress Baseline (High Fidelity)
### Query name
**`Linux Server – Public egress baseline (high fidelity) – last 24h`**
### Purpose
Provides a **high-fidelity view of outbound public network traffic** for Linux servers.
This baseline excludes **only Defender’s own traffic**, leaving all other activity visible for review. The assumption is that **servers should be quieter and more predictable** than desktops.
### Query
```kql
let LinuxDeviceIds =
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| where RemoteIPType == "Public"
| where RemoteIP !startswith "127."
| where InitiatingProcessFileName !in ("sensecm")
| project
Timestamp,
DeviceName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteIP,
RemotePort,
Protocol
| order by Timestamp desc
```
### Why this is stricter
On servers:
* `networkmanager` is often unnecessary or suspicious
* `snapd` may not be expected at all
* `fwupdmgr` is uncommon
* Package management activity may be operationally relevant
Rather than excluding these by default, this query **keeps them visible** so they can be reviewed in context.
### Typical activity you might investigate
* Application services calling external APIs
* Backup agents or monitoring tools
* Unexpected outbound connections
* Misconfigurations (servers acting like desktops)
### When to use this query
* Server threat hunting
* Investigating suspected compromise
* Auditing server network behaviour
* Supply-chain or persistence investigationsExplanation
This query is designed to monitor and analyze outbound public network traffic from Linux servers over the past 24 hours. It aims to provide a clear view of all such traffic, excluding only the traffic generated by Microsoft's Defender software. The assumption is that Linux servers should generally have more predictable and quieter network activity compared to desktops.
Here's a breakdown of what the query does:
-
Identify Linux Devices: It first identifies all devices running Linux by filtering the
DeviceInfotable for entries where the operating system platform is "Linux" and collects their unique device IDs. -
Filter Network Events: It then looks at network events from the
DeviceNetworkEventstable that occurred in the last 24 hours and are associated with these Linux devices. -
Focus on Public IPs: The query specifically filters for events where the remote IP address is public (not starting with "127.").
-
Exclude Defender Traffic: It excludes events initiated by the Defender process (
sensecm), ensuring that only other types of traffic are visible. -
Output Details: For each relevant event, it outputs details such as the timestamp, device name, initiating process name and command line, remote IP and port, and the protocol used.
-
Order by Time: The results are ordered by the timestamp in descending order, showing the most recent events first.
The query is stricter for servers because certain processes like networkmanager, snapd, and fwupdmgr are either unnecessary or uncommon on servers, and their presence might warrant further investigation. It does not exclude these processes by default, allowing for a comprehensive review of all activities.
This query is useful for:
- Hunting for potential threats on servers.
- Investigating suspected security breaches.
- Auditing server network behavior.
- Examining supply-chain or persistence-related activities.
Overall, it helps in identifying unexpected or suspicious outbound connections, application services interacting with external APIs, and potential misconfigurations where servers might be behaving like desktops.
Details
Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators