Question Analysis

DeviceProcessEvents | where ProcessCommandLine has "hostname" or ProcessCommandLine has "uname -n" | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | take 10

DeviceProcessEvents | where FileName in~ ("hostname", "uname", "cat") or ProcessCommandLine has_any ("hostname", "uname", "/proc/sys/kernel/hostname") | summarize EventCount = count(), ExampleTime=min(TimeGenerated), AnyDevice=any(DeviceName), AnyUser=any(AccountName) by FileName, ProcessCommandLine | top 20 by EventCount desc

DeviceProcessEvents | where ProcessCommandLine has_any ('nslookup', 'hostname', 'ipconfig', 'scutil', 'dig', 'host') or FileName has_any ('nslookup.exe', 'hostname', 'ipconfig.exe', 'scutil', 'dig', 'host') | take 50 | project TimeGenerated, DeviceName, ProcessId, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessId, InitiatingProcessParentId, InitiatingProcessCreationTime

DeviceProcessEvents | where ActionType == "ProcessCreated" and (ProcessCommandLine contains "hostname" or FileName == "hostname") | project TimeGenerated, DeviceId, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated desc | take 50

let linux_devices = DeviceInfo | where OSPlatform == "Linux" | summarize by DeviceId; DeviceProcessEvents | where ActionType == "ProcessCreated" | where DeviceId in (linux_devices) | extend cmd = tostring(ProcessCommandLine), fname = tostring(FileName) | extend cmd_l = tolower(cmd), fname_l = tolower(fname) // Pre-filter to commands/indicators commonly used to fetch the hostname | where fname_l in ("hostname","hostnamectl","uname","cat","sysctl","sh","bash","dash","zsh","python","perl","ruby","node") or cmd_l has_any ("hostnamectl", "uname -n", "--nodename", "/etc/hostname", "/proc/sys/kernel/hostname", "kernel.hostname", "socket.gethostname", "gethostname(") or cmd_l matches regex @"(^|\s)hostname(\s|$)" // Normalize to the effective utility used for the hostname lookup | extend Utility = case( fname_l == "hostnamectl" or cmd_l has "hostnamectl", "hostnamectl", fname_l == "uname" and (cmd_l has " -n" or cmd_l has " --nodename"), "uname -n", cmd_l matches regex @"(^|\s)hostname(\s|$)", "hostname", cmd_l has "/etc/hostname", "cat /etc/hostname", cmd_l has "/proc/sys/kernel/hostname", "cat /proc/sys/kernel/hostname", fname_l == "sysctl" and cmd_l has "kernel.hostname", "sysctl kernel.hostname", cmd_l has "socket.gethostname" or cmd_l has "gethostname(", "programmatic gethostname()", "Other" ) | where Utility != "Other" | project TimeGenerated, DeviceName, DeviceId, Utility, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessCommandLine) or isnotempty(InitiatingProcessFileName) // Restrict to Linux devices | join kind=inner ( DeviceInfo | where tolower(tostring(OSPlatform)) has "linux" | distinct DeviceId ) on DeviceId | extend cmd = tolower(tostring(ProcessCommandLine)), fname = tolower(tostring(FileName)), iproc_cmd = tolower(tostring(InitiatingProcessCommandLine)), iproc_file = tolower(tostring(InitiatingProcessFileName)) // Look for common hostname lookup utilities/patterns (including reading /etc/hostname and sysctl kernel.hostname) | where cmd matches regex @"\b(hostnamectl|hostname|dnsdomainname|uname|gethostname|getent|sysctl)\b" or iproc_cmd matches regex @"\b(hostnamectl|hostname|dnsdomainname|uname|gethostname|getent|sysctl)\b" or fname matches regex @"\b(hostnamectl|hostname|dnsdomainname|uname|getent|cat)\b" or iproc_file matches regex @"\b(hostnamectl|hostname|dnsdomainname|uname|getent|cat)\b" or cmd contains "/etc/hostname" or iproc_cmd contains "/etc/hostname" or cmd contains "kernel.hostname" or iproc_cmd contains "kernel.hostname" | extend detected = case( cmd matches regex @"\bhostnamectl\b" or iproc_cmd matches regex @"\bhostnamectl\b" or fname matches regex @"\bhostnamectl\b" or iproc_file matches regex @"\bhostnamectl\b", "hostnamectl", cmd matches regex @"\bdnsdomainname\b" or iproc_cmd matches regex @"\bdnsdomainname\b" or fname matches regex @"\bdnsdomainname\b" or iproc_file matches regex @"\bdnsdomainname\b", "dnsdomainname", cmd matches regex @"\buname\b" or iproc_cmd matches regex @"\buname\b" or fname matches regex @"\buname\b" or iproc_file matches regex @"\buname\b", "uname", cmd contains "/etc/hostname" or iproc_cmd contains "/etc/hostname", "cat /etc/hostname", cmd matches regex @"\bgetent\b" or iproc_cmd matches regex @"\bgetent\b" or fname matches regex @"\bgetent\b", "getent", cmd matches regex @"\bsysctl\b" or iproc_cmd matches regex @"\bsysctl\b", "sysctl kernel.hostname", cmd matches regex @"\bgethostname\b" or iproc_cmd matches regex @"\bgethostname\b", "gethostname", cmd contains "cat" or iproc_cmd contains "cat" or fname contains "cat" or iproc_file contains "cat", "cat (generic)", "other") // Summarize to reduce noise and show examples | summarize count = count(), lastTime = max(TimeGenerated), sampleCmd = any(ProcessCommandLine), sampleFile = any(FileName), sampleInitiatingCmd = any(InitiatingProcessCommandLine), sampleInitiatingFile = any(InitiatingProcessFileName) by DeviceId, DeviceName, detected | order by lastTime desc | take 200

DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // If caller will set the timerange externally, remove the above line and rely on external time filter | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // Filter common Linux hostname utilities and commands | where FileName in~ ("hostname", "uname", "cat", "hostnamectl") or ProcessCommandLine has_any ("hostname", "uname -n", "/etc/hostname", "hostnamectl") // Optionally filter to Linux devices by joining DeviceInfo OSPlatform | join kind=leftouter ( DeviceInfo | summarize LatestTime=max(TimeGenerated) by DeviceId, OSPlatform ) on DeviceId | where OSPlatform has "Linux" or isnull(OSPlatform) | project TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ProcessId, ProcessCreationTime, InitiatingProcessCreationTime, AccountDomain, AccountName, AdditionalFields | sort by TimeGenerated desc | take 50

let linuxDevices = DeviceInfo | where tostring(OSPlatform) has "Linux" | project DeviceId, OSPlatform; DeviceProcessEvents | where isnotempty(ProcessCommandLine) or isnotempty(FileName) // token filter to reduce dataset | where ProcessCommandLine has_any ("hostname","uname","/etc/hostname","hostnamectl","gethostname","sysctl","gethostbyname","socket.gethostname","platform.node","getent","dig","cat") or FileName has_any ("hostname","uname","hostnamectl","cat","python","perl","ruby","php","bash","sh","getent","dig") | join kind=inner (linuxDevices) on DeviceId | extend CmdLower = tolower(tostring(ProcessCommandLine)), FileNameStr = tostring(FileName) // try to extract the utility name from the command line | extend ExtractCmd = extract(@"(?:^|[\s/])((?:hostnamectl|hostname|gethostname|uname|sysctl|cat|getent|dig|python|perl|ruby|php|bash|sh))\b", 1, CmdLower) | extend FileBase = tolower(tostring(split(FileNameStr,'/')[-1])) | extend Invoked = case( isnotempty(ExtractCmd), ExtractCmd, FileBase in ("hostname","uname","hostnamectl","cat","getent","dig","python","perl","ruby","php","bash","sh"), FileBase, CmdLower contains "/etc/hostname", "cat(/etc/hostname)", CmdLower contains "gethostbyname" or CmdLower contains "socket.gethostname" or CmdLower contains "platform.node", "language_call", "unknown") | where Invoked != "unknown" | summarize Count = count(), Examples = make_list(pack("TimeGenerated", TimeGenerated, "DeviceName", DeviceName, "ProcessId", ProcessId, "ProcessCommandLine", ProcessCommandLine, "FileName", FileName, "InitiatingProcessFileName", InitiatingProcessFileName), 5) by Invoked | sort by Count desc | take 50

DeviceProcessEvents | where (ProcessCommandLine contains_cs 'hostname' or ProcessCommandLine contains_cs 'hostnamectl' or ProcessCommandLine contains_cs 'uname') or (FileName contains_cs 'hostname' or FileName contains_cs 'hostnamectl' or FileName contains_cs 'uname') | where InitiatingProcessFolderPath contains '/usr/' or InitiatingProcessFolderPath contains '/bin/' or InitiatingProcessFolderPath contains '/sbin/' | project DeviceName, FileName, ProcessCommandLine, ProcessCreationTime, ProcessId, AccountName | order by ProcessCreationTime desc | limit 50

DeviceProcessEvents | where ProcessCommandLine contains 'hostname' | join kind=inner ( DeviceInfo | where OSPlatform == 'Linux' | project DeviceId ) on DeviceId | summarize arg_max(TimeGenerated, *) by FileName | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | order by TimeGenerated desc | limit 100

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("hostname", "uname", "nslookup", "host") | order by TimeGenerated desc | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | limit 50

DeviceProcessEvents | where ActionType == "ProcessCreated" | join (DeviceInfo | where OSPlatform == "Linux") on DeviceId | where FileName in~ ("hostname", "uname", "hostnamectl") | project TimeGenerated, DeviceId, DeviceName, OSPlatform, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc | limit 100

// Which utility was used on a Linux host to obtain the machine name let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName; DeviceProcessEvents | where ActionType == "ProcessCreated" // keep only events coming from Linux machines | where DeviceId in (LinuxDevices) // look for common hostname-lookup utilities or obvious command-line patterns | where FileName in~ ("hostname", "uname", "hostnamectl", "cat") or ProcessCommandLine has "hostname" or ProcessCommandLine has "uname -n" or ProcessCommandLine has "/etc/hostname" // enrich with the device friendly name | join kind=leftouter (LinuxDevices) on DeviceId | summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleCommand = any(ProcessCommandLine) by DeviceName, DeviceId, Utility = tostring(FileName) | sort by LastSeen desc

DeviceProcessEvents | where FileName has "hostname" or ProcessCommandLine has "hostname" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName | sort by TimeGenerated desc | limit 50

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, OSPlatform ) on DeviceId | where ProcessCommandLine contains "hostname" or FileName contains "hostname" | where isnull(FileName) or FileName !endswith ".exe" | summarize EventCount = count() by DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName | sort by EventCount desc | limit 100

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; linuxDevices | join kind=inner ( DeviceProcessEvents | where FileName in ("hostname", "hostnamectl", "uname") and (FileName != "uname" or ProcessCommandLine has "-n") ) on DeviceId | project TimeGenerated, DeviceName, ProcessId, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc | take 50

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) // Only process‐creation events | where ActionType == "ProcessCreated" // Match the hostname binary or uname with -n flag | where FileName =~ "hostname" or (FileName =~ "uname" and ProcessCommandLine has "-n") // Project only the fields you need to see which utility was called | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId | sort by TimeGenerated desc | take 50