Question Analysis

DeviceFileEvents | where (ActionType == "FileCreated" or ActionType == "FileWritten") | where FolderPath startswith "/tmp" | where InitiatingProcessCommandLine has_any ("cat", "lsb_release", "uname", "release", "os-release", "kernel", ">", "/etc/") | project TimeGenerated, FileName, FolderPath, InitiatingProcessCommandLine, OutputFile=strcat(FolderPath, "/", FileName) | summarize Count=count(), ExampleCommand=any(InitiatingProcessCommandLine), FirstSeen=min(TimeGenerated) by OutputFile | order by Count desc, FirstSeen asc | take 10

DeviceFileEvents | where FolderPath startswith "/tmp" | summarize by FileName | project FileName

let linux_devices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; let release_rx = @"(?i)(/etc/(?:os-release|lsb-release|redhat-release|system-release)|/etc/issue|\blsb_release\b)"; let kernel_rx = @"(?i)\b(?:uname\s+(?:-a|-r)|hostnamectl|/proc/version)\b"; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_devices) // Extract an output path under /tmp written via redirection or tee | extend OutputPath = coalesce( extract(@">>{0,1}\s*(/tmp/[^ \t|;&>]+)", 1, ProcessCommandLine), extract(@"\btee\b[^\r\n]*\s+(/tmp/[^ \t|;&>]+)", 1, ProcessCommandLine) ) | where isnotempty(OutputPath) | extend HasRelease = ProcessCommandLine matches regex release_rx | extend HasKernel = ProcessCommandLine matches regex kernel_rx // Aggregate per device and output path to ensure both data types were written to the same file | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), AnyRelease=any(HasRelease), AnyKernel=any(HasKernel), ExampleCmd=arg_max(TimeGenerated, ProcessCommandLine) by DeviceId, DeviceName, OutputPath | where AnyRelease and AnyKernel | extend OutputFile = extract(@"[^/]+$", 0, OutputPath) | project LastSeen, DeviceName, OutputPath, OutputFile, ExampleCmd | order by LastSeen desc

let keywords = dynamic(["release","os-release","lsb-release","issue","kernel","uname","version","system-release","sysinfo","osinfo","os_release"]); let pathPrefix = "/tmp/"; let lastN = 50; ( DeviceFileEvents | where coalesce(TimeGenerated, Timestamp) >= ago(30d) | extend Time = coalesce(TimeGenerated, Timestamp) | extend InitiatingCmd = tolower(coalesce(InitiatingProcessCommandLine, "")) | where (isnotempty(FolderPath) and FolderPath startswith pathPrefix) or (isnotempty(FileName) and tolower(FileName) has_any (keywords)) or (InitiatingCmd has_any (keywords)) | extend FullPath = iff(isnotempty(FolderPath), iff(FolderPath endswith "/", strcat(FolderPath, FileName), strcat(FolderPath, "/", FileName)), FileName) | project Time, DeviceName, Table = "DeviceFileEvents", FullPath, FileName, FolderPath, InitiatingProcessFileName, InitiatingCmd, ActionType, FileSize, MD5, SHA1, SHA256 ) | union ( DeviceEvents | where coalesce(TimeGenerated, Timestamp) >= ago(30d) | extend Time = coalesce(TimeGenerated, Timestamp) | extend InitiatingCmd = tolower(coalesce(InitiatingProcessCommandLine, "")) | where (isnotempty(FolderPath) and FolderPath startswith pathPrefix) or (isnotempty(FileName) and tolower(FileName) has_any (keywords)) or (InitiatingCmd has_any (keywords)) | extend FullPath = iff(isnotempty(FolderPath), iff(FolderPath endswith "/", strcat(FolderPath, FileName), strcat(FolderPath, "/", FileName)), FileName) | project Time, DeviceName, Table = "DeviceEvents", FullPath, FileName, FolderPath, InitiatingProcessFileName, InitiatingCmd, ActionType, FileSize, MD5, SHA1, SHA256 ) | union ( DeviceProcessEvents | where coalesce(TimeGenerated, Timestamp) >= ago(30d) | extend Time = coalesce(TimeGenerated, Timestamp) | extend InitiatingCmd = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")) | where (isnotempty(FolderPath) and FolderPath startswith pathPrefix) or (isnotempty(FileName) and tolower(FileName) has_any (keywords)) or (InitiatingCmd has_any (keywords)) | extend FullPath = iff(isnotempty(FolderPath), iff(FolderPath endswith "/", strcat(FolderPath, FileName), strcat(FolderPath, "/", FileName)), FileName) | project Time, DeviceName, Table = "DeviceProcessEvents", FullPath, FileName, FolderPath, InitiatingProcessFileName=InitiatingProcessFileName, InitiatingCmd, ActionType, FileSize, MD5, SHA1, SHA256 ) | summarize arg_max(Time, *) by FullPath, DeviceName | order by Time desc | take lastN

// Find processes that read common system release/kernel files and write an aggregated file under /tmp let proc = DeviceProcessEvents | extend cmd = tolower(tostring(ProcessCommandLine)), icmd = tolower(tostring(InitiatingProcessCommandLine)) | where isnotempty(cmd) or isnotempty(icmd) // Look for reads of common Linux release/kernel info | where ( (cmd contains "/etc/" and cmd contains "release") or cmd contains "/proc/version" or cmd contains "boot/config" or cmd contains "os-release" or cmd contains "uname" or cmd contains "dmesg" or (icmd contains "/etc/" and icmd contains "release") or icmd contains "/proc/version" or icmd contains "boot/config" or icmd contains "os-release" or icmd contains "uname" or icmd contains "dmesg" ) // And also evidence of writing to /tmp (redirection, tee, cp, mv, or explicit /tmp path) | where ( cmd contains "/tmp/" or icmd contains "/tmp/" or cmd matches regex @"(>\s*/tmp/|>>\s*/tmp/|1>\s*/tmp/)" or cmd matches regex @"(\btee\b|\scp\b|\smv\b).*?/tmp/\S+" or icmd matches regex @"(>\s*/tmp/|>>\s*/tmp/|1>\s*/tmp/)" or icmd matches regex @"(\btee\b|\scp\b|\smv\b).*?/tmp/\S+" ) | extend outpath = coalesce( extract("(/tmp/\\S+)", 1, cmd), extract("(/tmp/\\S+)", 1, icmd) ) | project TimeGenerated, DeviceName, ProcessId, FileName, FolderPath, outpath, ProcessCommandLine=ProcessCommandLine, InitiatingProcessCommandLine=InitiatingProcessCommandLine ; let fileEvents = DeviceFileEvents | where FolderPath has "/tmp" or FileName has "/tmp" or FolderPath endswith "/tmp" | extend outpath = case( FileName has "/tmp/", FileName, FolderPath endswith "/", strcat(FolderPath, FileName), FolderPath contains "/tmp", strcat(FolderPath, "/", FileName), strcat(FolderPath, "/", FileName) ) | project TimeGenerated, DeviceName, FileName, FolderPath, ActionType, outpath, InitiatingProcessCommandLine ; // Combine and show recent matches and a top summary of candidate /tmp file names proc | union fileEvents | summarize hits = count(), any_Time = max(TimeGenerated) by outpath, DeviceName | where isnotempty(outpath) | order by hits desc, any_Time desc | limit 20 // Uncomment below to see the raw recent events (limit 50) // proc | union fileEvents | order by TimeGenerated desc | limit 50

DeviceFileEvents | where FolderPath startswith "/tmp" | where ActionType == "FileCreated" | join kind=inner ( DeviceInfo | where OSPlatform contains "Linux" ) on DeviceId | project FileName, FolderPath, DeviceName, Timestamp | order by Timestamp desc

DeviceFileEvents | where FolderPath startswith '/tmp/' | where ActionType == 'FileCreated' // Adjust based on actual ActionType values if needed | project FileName, InitiatingProcessCommandLine, Timestamp | order by Timestamp desc | take 10 // Limit to top 10 recent events for review

// Filter to Linux devices let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; LinuxDevices | join kind=inner ( DeviceProcessEvents // Look for process events where the command likely collects system release or kernel details | where ProcessCommandLine has_any ("/etc/", "release", "uname") // Look for a redirect to a file under /tmp | where ProcessCommandLine matches regex @"[>]{1,2}\s*/tmp/" // Parse out the output file name | parse kind=regex ProcessCommandLine with @".*[>]{1,2}\s*(/tmp/[^\s]+).*" outputFile | project TimeGenerated, DeviceId, DeviceName, ProcessCommandLine, outputFile ) on DeviceId | project TimeGenerated, DeviceName, ProcessCommandLine, outputFile | order by TimeGenerated desc

// Join with DeviceInfo to find only devices running Linux DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId ) on DeviceId // Look for commands referencing release files or kernel details often seen on Linux | where ProcessCommandLine has_any("release", "kernel", "uname", "lsb_release", "os-release", "version") // Also ensure the command line references /tmp | where ProcessCommandLine has "/tmp/" // Use regex to extract the portion of the file name under /tmp | extend OutputFile = extract(@"/tmp/([^ ]+)", 1, ProcessCommandLine) // Select relevant fields | project TimeGenerated, DeviceName, ProcessCommandLine, OutputFile | order by TimeGenerated desc

// ---------------------------------------------- // Linux host – identify file into which release / kernel information was aggregated // ---------------------------------------------- let linux_devices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId; DeviceProcessEvents | where DeviceId in (linux_devices) // command must reference typical OS / kernel info sources… | where ProcessCommandLine has_any ("/etc/os-release", "/etc/lsb-release", "/etc/redhat-release", "/etc/system-release", "/proc/version", "lsb_release", "uname", "hostnamectl") // …and redirect that output to /tmp (either ">" or ">>") | where ProcessCommandLine contains "/tmp/" and ProcessCommandLine has ">" // extract the redirected file path that sits after the > or >> token | extend OutputFilePath = tostring(extract(@">+\s*(/tmp/[^\s>]+)", 1, ProcessCommandLine)) | where isnotempty(OutputFilePath) // pull out just the file name portion | extend OutputFileName = tostring(split(OutputFilePath, "/")[-1]) // show when we first / last saw it, per host (optional but useful) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, OutputFilePath, OutputFileName | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessCommandLine contains "> /tmp/" // Focus on Linux system collection commands by filtering for likely keywords | where InitiatingProcessCommandLine contains "release" or InitiatingProcessCommandLine contains "kernel" | extend OutputFile = extract(@">\s*(/tmp/\S+)", 1, InitiatingProcessCommandLine) | where isnotempty(OutputFile) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, OutputFile | order by TimeGenerated desc | limit 100

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // time range will be set by the portal | where DeviceId in (linuxDevices) | where ProcessCommandLine contains ">" and ProcessCommandLine contains "/tmp/" | extend OutputFile = extract(@">\s*\/tmp\/(?<filename>[^\s]+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) | summarize Count = count() by OutputFile | sort by Count desc

// Identify Linux devices let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" | distinct DeviceId; // Find process executions that redirect output into /tmp DeviceProcessEvents | where DeviceId in (LinuxDevices) // Look for redirection operators writing to /tmp | where ProcessCommandLine matches regex @"[>]{1,2}\s*/tmp/" | project TimeGenerated, DeviceName, ProcessCommandLine // Extract the target filename under /tmp | extend OutputFile = extract(@"[>]{1,2}\s*(/tmp/\S+)", 1, ProcessCommandLine) // Return distinct file names and context | summarize arg_max(TimeGenerated, *) by OutputFile | project TimeGenerated, DeviceName, OutputFile, ProcessCommandLine