Question Analysis

DeviceProcessEvents | where FileName == "ping" | project DeviceName, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName == "ping" | extend ping_target = extract(@"ping\s+(-[\w\s]+\s+)?([\d\.]+)", 2, ProcessCommandLine) | where isnotempty(ping_target) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ping_target

DeviceProcessEvents | where ProcessCommandLine startswith "ping" | project ProcessCommandLine | extend IPAddress = extract(@"\d+\.\d+\.\d+\.\d+", 0, ProcessCommandLine) | project IPAddress | where isnotempty(IPAddress) | distinct IPAddress

DeviceProcessEvents | where ProcessCommandLine contains "ping" | project InitiatingProcessCommandLine, DeviceId, DeviceName, TenantId, TimeGenerated

// Optional: set a specific Linux host to focus the results (leave empty to return all Linux hosts) let targetHost = ""; let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName; // Network evidence: ICMP destination captured as RemoteIP let PingNet = DeviceNetworkEvents | where InitiatingProcessFileName in~ ("ping", "ping6") | where isnotempty(RemoteIP) | project DeviceId, TimeGenerated, PingTargetIP = RemoteIP, PingCmd = tostring(InitiatingProcessCommandLine), Source = "DeviceNetworkEvents" | join kind=inner (LinuxDevices) on DeviceId | project TimeGenerated, DeviceId, DeviceName, PingTargetIP, PingCmd, Source; // Process evidence: extract IPv4/IPv6 literal from ping command line (regex avoids lookbehind/lookahead) let PingProc = DeviceProcessEvents | where FileName in~ ("ping", "ping6") | join kind=inner (LinuxDevices) on DeviceId | extend TargetIPv4 = extract(@"(^|[^0-9])((25[0-5]|2[0-4]\d|1?\d{1,2})(\.(25[0-5]|2[0-4]\d|1?\d{1,2})){3})", 2, tostring(ProcessCommandLine)) | extend TargetIPv6 = extract(@"(([A-Fa-f0-9]{1,4}:){1,7}[A-Fa-f0-9]{0,4})", 1, tostring(ProcessCommandLine)) | extend PingTargetIP = tostring(coalesce(TargetIPv4, TargetIPv6)) | where isnotempty(PingTargetIP) | project TimeGenerated, DeviceId, DeviceName, PingTargetIP, PingCmd = ProcessCommandLine, Source = "DeviceProcessEvents"; union PingNet, PingProc | where isempty(targetHost) or DeviceName == targetHost | extend IPVersion = iff(indexof(PingTargetIP, ":") >= 0, "IPv6", "IPv4") | order by TimeGenerated desc

let PingCommandPatterns = dynamic(["\bping\b","\bping6\b","\b/ping\b"]); // Extract target (IP or hostname) from command line let extractTarget = (cmd:string){ // match IPv4 extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, cmd) // if no IPv4, try IPv6 // fallback to hostname-like token after ping // we'll use coalesce in caller }; ( DeviceProcessEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where tolower(ProcessCommandLine) contains "ping" | extend TargetIP = extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, ProcessCommandLine) | extend TargetIPv6 = extract(@"([0-9a-fA-F:]{3,})", 1, ProcessCommandLine) | extend TargetHost = tostring(split(ProcessCommandLine, ' ')[-1]) | extend Target = iif(isnotempty(TargetIP), TargetIP, iif(isnotempty(TargetIPv6), TargetIPv6, TargetHost)) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, Target, TargetIP, TargetIPv6 ) | union ( DeviceEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where tolower(ProcessCommandLine) contains "ping" | extend TargetIP = extract(@"((?:[0-9]{1,3}\.){3}[0-9]{1,3})", 1, ProcessCommandLine) | extend TargetIPv6 = extract(@"([0-9a-fA-F:]{3,})", 1, ProcessCommandLine) | extend TargetHost = tostring(split(ProcessCommandLine, ' ')[-1]) | extend Target = iif(isnotempty(TargetIP), TargetIP, iif(isnotempty(TargetIPv6), TargetIPv6, TargetHost)) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessId=ProcessId, ProcessCommandLine, Target, TargetIP, TargetIPv6 ) | union ( DeviceNetworkEvents | where TimeGenerated between (startofday(now(-7d)) .. now()) | where Protocol == "ICMP" or tolower(RemoteUrl) contains "icmp" or tolower(AdditionalFields) contains "icmp" | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, RemoteIP, RemotePort, Protocol, ProcessCommandLine=InitiatingProcessCommandLine ) | extend DetectedTarget = coalesce(Target, RemoteIP) | where isnotempty(DetectedTarget) | sort by TimeGenerated desc | distinct DeviceName, DetectedTarget, AccountName, ProcessId, ProcessCommandLine, RemoteIP, TimeGenerated

let TimeWindow = 7d; let LinuxDevices = DeviceInfo | where OSPlatform contains "Linux" | distinct DeviceId; let PingProcs = DeviceProcessEvents | where TimeGenerated >= ago(TimeWindow) | where InitiatingProcessFileName endswith "ping" or InitiatingProcessCommandLine has "ping" | where DeviceId in (LinuxDevices) | extend CmdLine = InitiatingProcessCommandLine | extend TargetArg = extract(@"ping\\s+(?:-c\\s+\\d+\\s+)?([^\\s]+)", 1, CmdLine) | project DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessCreationTime, CmdLine, TargetArg, TimeGenerated; let PingNet = DeviceNetworkEvents | where TimeGenerated >= ago(TimeWindow) | where InitiatingProcessId in (PingProcs | distinct InitiatingProcessId) | summarize RemoteIP = any(RemoteIP) by InitiatingProcessId; PingProcs | join kind=leftouter (PingNet) on InitiatingProcessId | project DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessCreationTime, CmdLine, TargetArg, RemoteIP

DeviceProcessEvents | where ProcessCommandLine contains "ping" | join kind=inner ( DeviceInfo | where OSPlatform contains "Linux" ) on DeviceId | extend ExtractedIP = extract("[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+", 0, ProcessCommandLine) | where isnotempty(ExtractedIP) | project DeviceName, ProcessCreationTime, ProcessCommandLine, ExtractedIP | order by ProcessCreationTime desc

let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where FileName =~ "ping" | extend TargetIP = extract(@"\\b\\d{1,3}\\\.\\d{1,3}\\\.\\d{1,3}\\\.\\d{1,3}\\b", 0, ProcessCommandLine) | summarize arg_max(TimeGenerated, TargetIP, TimeGenerated) by DeviceId | project DeviceId, TargetIP, TimeGenerated | order by TimeGenerated desc

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; LinuxDevices | join (DeviceProcessEvents | where FileName == "ping" or ProcessCommandLine has "ping") on DeviceId | extend TargetIp = extract("([0-9]+(?:\\.[0-9]+){3})", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, TargetIp | order by TimeGenerated desc

DeviceProcessEvents | where FileName == "ping" | extend RawTarget = extract(@"ping\s+([^\s]+)", 1, ProcessCommandLine) | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName ) on DeviceId | extend PingIP = extract(@"(\d{1,3}(?:\\.\d{1,3}){3})", 0, RawTarget) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, RawTarget, PingIP | order by TimeGenerated desc

// Identify the IP address that a Linux host tried to ping let TimeRange = 7d; // replace in the function call // 1. Locate all devices that run Linux so we do not collect hits from Windows hosts let LinuxDevices = DeviceInfo | where OSPlatform endswith "Linux" | project DeviceId, DeviceName; // 2. Find executions of the *ping* utility on those Linux devices DeviceProcessEvents | where TimeGenerated >= ago(TimeRange) | where FileName =~ "ping" // executable name (covers ping & ping6) | join kind=inner (LinuxDevices) on DeviceId // 3. From the full command-line pull out the first non-switch argument – that is the target | extend PingTarget = extract(@"\bping(?:6)?\s+(?:-[^\s]+\s+)*([^\s]+)", 1, ProcessCommandLine) | where isnotempty(PingTarget) // 4. Keep only literal IP addresses (IPv4 or IPv6); drop host-names that may also appear | where PingTarget matches regex @"^(\d{1,3}(?:\.\d{1,3}){3})$" // IPv4 or PingTarget matches regex @"^[0-9a-fA-F:]{2,}$" // IPv6 (very loose but adequate) // 5. Summarise so you can see when the ping happened and how often | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, PingTarget | order by LastSeen desc

DeviceProcessEvents | where InitiatingProcessCommandLine contains "ping" | extend targetIP = extract(@"\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\b", 0, InitiatingProcessCommandLine) | where isnotempty(targetIP) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, targetIP | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "ping" | where FileName endswith "ping" | extend TargetIP = extract(@"(\b\d{1,3}(?:\.\d{1,3}){3}\b)", 0, ProcessCommandLine) | where isnotempty(TargetIP) | project TimeGenerated, DeviceName, ProcessCommandLine, TargetIP | order by TimeGenerated desc

// Identify Linux devices let linuxDevices = DeviceInfo | where OSPlatform contains "Linux" | project DeviceId, DeviceName; // Network-based ping events (ICMP by ping) let pingNetwork = DeviceNetworkEvents | where DeviceId in (linuxDevices | project DeviceId) | where Protocol == "ICMP" | where InitiatingProcessFileName in ("ping", "ping6") | extend ProcessCommandLine = InitiatingProcessCommandLine | project TimeGenerated, DeviceId, PingTarget = RemoteIP, ProcessCommandLine; // Process-based ping events (extract IP from command line) let pingProcess = DeviceProcessEvents | where DeviceId in (linuxDevices | project DeviceId) | where FileName in ("ping", "ping6") | extend PingTarget = extract(@"(\d+\.\d+\.\d+\.\d+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, PingTarget, ProcessCommandLine; // Combine, enrich, filter, and sort union pingNetwork, pingProcess | where isnotempty(PingTarget) | join kind=inner linuxDevices on DeviceId | sort by TimeGenerated desc | project TimeGenerated, DeviceName, PingTarget, ProcessCommandLine