Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | join DeviceInfo on DeviceId | where OSPlatform == "Linux" | where ProcessCommandLine has "tor" or FileName has "tor" | project DeviceName, FileName, ProcessCommandLine, Timestamp

DeviceProcessEvents | where FileName in~ ('tor', 'tor.real', 'tor.service') or ProcessCommandLine has_any ('tor', 'tor.real', 'systemctl start tor', 'service tor start') | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | summarize ExampleCommandLine = any(ProcessCommandLine), Count = count() by ServiceName = FileName | order by Count desc

DeviceProcessEvents | where ProcessCommandLine has "systemctl start tor" | extend TorService = extract(@"(\S+)$", 0, ProcessCommandLine) | distinct TorService

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName; DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (LinuxDevices) on DeviceId | extend pcl = tostring(ProcessCommandLine), fname = tolower(tostring(FileName)) | where isnotempty(pcl) or fname in ("tor","tor.real") // Look for Tor being started via service managers or invoked directly | where pcl matches regex @"(?i)\b(systemctl|service|rc-service|sv|initctl|start)\b.*\b(start|restart|enable\s+--now|up)\b.*\btor(\.service|@\S+)?\b" or fname in ("tor","tor.real") or pcl matches regex @"(?i)\btor(\.service|@\S+)?\b" // Extract the service name argument from the command | extend ServiceRaw = tostring(coalesce( extract(@"(?i)\bsystemctl\b[^\S\r\n]+(?:enable[^\S\r\n]+--now[^\S\r\n]+|start|restart)[^\S\r\n]+([A-Za-z0-9_.@\-]+)", 1, pcl), extract(@"(?i)\bservice\b[^\S\r\n]+([A-Za-z0-9_.@\-]+)[^\S\r\n]+(?:start|restart)", 1, pcl), extract(@"(?i)\brc-service\b[^\S\r\n]+([A-Za-z0-9_.@\-]+)[^\S\r\n]+(?:start|restart)", 1, pcl), extract(@"(?i)\bsv\b[^\S\r\n]+(?:up|start|restart)[^\S\r\n]+([A-Za-z0-9_.@\-]+)", 1, pcl), extract(@"(?i)\binitctl\b[^\S\r\n]+(?:start|restart)[^\S\r\n]+([A-Za-z0-9_.@\-]+)", 1, pcl), extract(@"(?i)\bstart[^\S\r\n]+([A-Za-z0-9_.@\-]+)", 1, pcl), iif(fname in ("tor","tor.real"), "tor", "") )) | extend ServiceRaw = iff(isempty(ServiceRaw) and fname in ("tor","tor.real"), "tor", ServiceRaw) | extend ServiceName = tolower(replace_regex(tostring(ServiceRaw), @"(?i)\.service$", "")) | where ServiceName startswith "tor" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ServiceName | summarize Events = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, AccountName, ServiceName | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessCommandLine != "" | extend CmdLower = tolower(InitiatingProcessCommandLine) | where CmdLower contains "tor" and (CmdLower contains "systemctl start" or (CmdLower contains "service" and CmdLower contains " start")) | extend ServiceName = iif(CmdLower contains "systemctl start", extract(@"systemctl\s+start\s+([^\s]+)", 1, CmdLower), iif(CmdLower contains "service", extract(@"service\s+([^\s]+)\s+start", 1, CmdLower), "")) | extend ServiceNameClean = replace(@"\\.service$", "", ServiceName) | where isnotempty(ServiceNameClean) | project DeviceName, InitiatingProcessCreationTime, InitiatingProcessCommandLine, ServiceNameClean | sort by InitiatingProcessCreationTime asc

DeviceProcessEvents | join kind=inner DeviceInfo on DeviceId | where OSPlatform == 'Linux' | where ProcessCommandLine has 'tor' or FileName has 'tor' | project DeviceName, FileName, ProcessCommandLine, Timestamp | order by Timestamp desc | limit 10

DeviceProcessEvents | join kind=inner (DeviceInfo | where OSPlatform == 'Linux' | project DeviceId, DeviceName) on DeviceId | where ProcessCommandLine has 'start' and ProcessCommandLine has 'tor' | extend ServiceName = extract(@'start\s+(\S+)', 1, tolower(ProcessCommandLine)) | summarize DistinctServiceName = make_set(ServiceName) | project DistinctServiceName

DeviceProcessEvents | where ActionType == "ProcessCreated" | join (DeviceInfo | where OSPlatform =~ "Linux") on DeviceId | where FileName has "tor" or ProcessCommandLine has "tor" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine

DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId | join kind=inner ( DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has_any ("systemctl", "service") | where ProcessCommandLine has "start" | where ProcessCommandLine has "tor" // Use regex to parse out the service name that follows 'systemctl start' or 'service start' | parse kind=regex flags="i" ProcessCommandLine with "(?:systemctl|service)\\s+start\\s+([^\\s]+)" ServiceName | project DeviceId, DeviceName, TimeGenerated, ProcessCommandLine, ServiceName ) on DeviceId | order by TimeGenerated desc | take 100

// Step 1 – list Linux endpoints let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId; // Step 2 – look for service-start commands that launch the Tor proxy DeviceProcessEvents | where DeviceId in (linuxDevices) | where ActionType in ("ProcessCreated", "ProcessStarted", "ProcessLaunched") | where ProcessCommandLine has_any ("systemctl", "service") | where ProcessCommandLine matches regex @"\b(systemctl|service)\s+(start|restart|enable)\s+(tor(\.service)?|[^\s]*tor[^\s]*)\b" // Step 3 – extract the service name that was launched | extend ServiceName = tostring(extract(@"\b(systemctl|service)\s+(?:start|restart|enable)\s+([^\s]+)", 2, ProcessCommandLine)) // Step 4 – surface useful context | project TimeGenerated, DeviceName, AccountName, ProcessId, ServiceName, ProcessCommandLine | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), EventCount=count() by DeviceName, AccountName, ServiceName, ProcessCommandLine

DeviceProcessEvents | where InitiatingProcessCommandLine has "systemctl" and InitiatingProcessCommandLine has "start" and InitiatingProcessCommandLine has "tor" | extend launched_service = extract(@"systemctl\s+start\s+(\S+)", 1, InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, launched_service, InitiatingProcessCommandLine

let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" | project DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where InitiatingProcessCommandLine has "tor" and InitiatingProcessCommandLine has "start" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId | order by TimeGenerated desc

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId; linuxDevices | join kind=inner DeviceProcessEvents on DeviceId | where ProcessCommandLine has "systemctl" and ProcessCommandLine has "start" | extend ServiceName = extract(@"start\s+(\S+)", 1, ProcessCommandLine) | where ServiceName has "tor" | distinct ServiceName