Question Analysis

DeviceFileEvents | join DeviceInfo on DeviceId | where ActionType == "FileDeleted" | where OSPlatform == "Linux" | distinct FileName

DeviceFileEvents | where ActionType == 'FileDeleted' | where InitiatingProcessCommandLine contains 'shred' or InitiatingProcessCommandLine contains '/bin/rm' | where FolderPath startswith '/tmp/' | project DeviceName, FileName, FolderPath, InitiatingProcessCommandLine, TimeGenerated

// Identify files securely deleted by Linux native utilities (shred, srm, wipe, scrub, wipefs, secure-delete, srm.sh, srm-ls) let lookback = 30d; // fallback if external time range not applied let toolsRegex = @"\b(shred|srm|wipe|scrub|wipefs|secure-delete|srm\.sh|srm-ls)\b"; // Events that explicitly show file delete/removal and were initiated by candidate tools let fileEvents = ( union DeviceFileEvents, DeviceEvents | where TimeGenerated >= ago(lookback) | extend iproc = tolower(tostring(InitiatingProcessFileName)), icmd = tolower(tostring(InitiatingProcessCommandLine)) | where iproc matches regex toolsRegex or icmd matches regex toolsRegex | where ActionType has_any ("Delete","Removed","RemovedFile","FileDelete","FileDeleted","Deleted","Remove") | extend FullPath = iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, "/", FileName), coalesce(FileName, "")) | project TimeGenerated, DeviceName, FullPath, SourceFileName = FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, ReportId ); // Process executions where the tool was invoked and command line contains file path tokens (common temp locations) let procEvents = ( DeviceProcessEvents | where TimeGenerated >= ago(lookback) | extend pcmd = tostring(ProcessCommandLine), iproc = tostring(InitiatingProcessFileName), icmd = tostring(InitiatingProcessCommandLine) | where tolower(pcmd) matches regex toolsRegex or tolower(iproc) matches regex toolsRegex or tolower(icmd) matches regex toolsRegex // split command line into tokens and inspect for path-like tokens | mv-expand token = split(pcmd, ' ') | extend token = trim('\"\'\t', tostring(token)) | where token startswith '/' or token startswith './' or token contains '/tmp/' or token contains '/var/tmp/' or token contains '/run/' | extend FullPath = token | extend SourceFileName = extract(@"([^/]+)$", 1, FullPath), FolderPath = extract(@"(.*/)[^/]+$", 1, FullPath) | project TimeGenerated, DeviceName, FullPath, SourceFileName, FolderPath, InitiatingProcessFileName = iproc, InitiatingProcessCommandLine = pcmd, ActionType = "ProcessExecution", ReportId ); union fileEvents, procEvents | where isnotempty(FullPath) and FullPath != '' | summarize arg_max(TimeGenerated, *) by FullPath | extend DeletedFileName = extract(@"([^/]+)$", 1, FullPath) | project TimeGenerated, DeviceName, FullPath, DeletedFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, ReportId | sort by TimeGenerated desc | take 50

// Identify Linux devices let linuxDeviceIds = DeviceInfo | where tolower(tostring(OSPlatform)) contains "linux" | distinct DeviceId; // Candidate secure-delete processes and the file paths they were given on the command line let procCandidates = DeviceProcessEvents | join kind=inner (linuxDeviceIds) on DeviceId | extend ProcName = tolower(tostring(split(FileName, "/")[-1])) | where ProcName in ('shred','srm','wipe','sfill','scrub') | extend Cmd = tostring(ProcessCommandLine) // split command line and keep tokens that look like file paths | mv-expand Token = split(Cmd, ' ') | where Token startswith '/' or Token startswith './' or Token startswith '~/' | extend DeletedFileFromCmd = trim('"', tostring(Token)) | summarize arg_max(ProcessCreationTime, *) by DeviceId, ProcessId, DeletedFileFromCmd | project DeviceId, DeviceName, ProcessId, ProcessCreationTime, Tool = FileName, ProcessCommandLine = Cmd, DeletedFileFromCmd; // File delete events that may correspond to a secure-delete let fileDeletes = DeviceFileEvents | where tolower(tostring(ActionType)) has 'delete' or tolower(tostring(ActionType)) has 'unlink' or tolower(tostring(ActionType)) has 'remove' or tolower(tostring(ActionType)) has 'deleted' or tolower(tostring(ActionType)) has 'removed' | project DeviceId, TimeGenerated, DeletedFileEventName = FileName, FolderPath, InitiatingProcessId, ActionType; procCandidates | join kind=leftouter (fileDeletes) on DeviceId, $left.ProcessId == $right.InitiatingProcessId | extend DeletedFile = coalesce(DeletedFileEventName, DeletedFileFromCmd) | where isnotempty(DeletedFile) | extend Time = coalesce(TimeGenerated, ProcessCreationTime) | project Time, DeviceName, InitiatingTool = Tool, ProcessCommandLine, DeletedFile = tostring(DeletedFile), FolderPath, ActionType | summarize arg_max(Time, *) by DeletedFile | order by Time desc | take 50

let SecureDeleteCandidates = DeviceFileEvents | where TimeGenerated >= ago(1d) | where ActionType contains "Delete" // deletion events | where InitiatingProcessCommandLine has_any ("shred", "shred -u", "/usr/bin/shred", "wipe", "secure-delete", "srm") | where InitiatingProcessCommandLine contains "-u" // securely remove after overwrite | where FolderPath startswith "/tmp" or FolderPath startswith "/var/tmp" or FolderPath contains "/tmp/" | extend DeletedPath = strcat(FolderPath, FileName) | project TimeGenerated, DeviceName, DeviceId, FileName, FolderPath, DeletedPath, InitiatingProcessCommandLine | sort by TimeGenerated desc | take 100; SecureDeleteCandidates | distinct FileName, FolderPath, DeletedPath, InitiatingProcessCommandLine

DeviceProcessEvents | where ProcessCommandLine contains 'shred' | join kind=inner ( DeviceInfo | where OSPlatform contains 'Linux' ) on DeviceId | project Timestamp, DeviceName, FileName, ProcessCommandLine | order by Timestamp desc

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceFileEvents | where ActionType == "FileDeleted" | join kind=inner LinuxDevices on DeviceId | where InitiatingProcessCommandLine has_any ("shred", "srm", "wipe") | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("shred", "srm") | project TimeGenerated, DeviceId, DeviceName, ProcessId, SecureDeletionCommand = ProcessCommandLine | join kind=inner ( DeviceFileEvents | where ActionType in~ ("FileDeleted", "FileRemoved") | project DeviceId, InitiatingProcessId, DeletedFileName = FileName, DeletedFolderPath = FolderPath ) on DeviceId | where ProcessId == InitiatingProcessId | project TimeGenerated, DeviceName, SecureDeletionCommand, DeletedFileName, DeletedFolderPath | order by TimeGenerated desc

// Secure deletion of a temporary file with shred -u / --remove let linux_devices = DeviceInfo | where OSPlatform startswith_cs "Linux" | project DeviceId, DeviceName; DeviceProcessEvents | where FileName =~ "shred" | where ProcessCommandLine has_any (" -u", " --remove") | join kind=inner (linux_devices) on DeviceId | extend TargetFilePath = extract(@"(/tmp/[^\s]+)", 1, ProcessCommandLine) | where isnotempty(TargetFilePath) | extend SecurelyDeletedFileName = tostring(split(TargetFilePath, "/")[-1]) | summarize LastSeen = max(TimeGenerated) by DeviceName, SecurelyDeletedFileName, TargetFilePath | project DeviceName, SecurelyDeletedFileName, TargetFilePath, LastSeen | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessCommandLine has "shred" and InitiatingProcessCommandLine has "-u" | extend TempFile = strcat(FolderPath, "/", FileName) | project TimeGenerated, DeviceName, TempFile, InitiatingProcessCommandLine | order by TimeGenerated desc | take 1

DeviceProcessEvents | where InitiatingProcessCommandLine has "shred" and InitiatingProcessCommandLine has "-u" | extend SecurelyDeletedFile = extract(@"(?:shred\s+-u\s+)(\S+)", 1, InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, SecurelyDeletedFile, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName == "shred" or FileName endswith "/shred" | where ProcessCommandLine contains "-u" or ProcessCommandLine contains "--remove" | extend DeletedFile = extract(@"(?:-u|--remove)\s+([^\s]+)", 1, ProcessCommandLine) | where isnotempty(DeletedFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, DeletedFile