Linux Antivirus Activity
Query
let LinuxDeviceIds =
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceEvents
| where Timestamp > ago(7d)
| where DeviceId in (LinuxDeviceIds)
| where ActionType startswith "Antivirus"
| extend AF = parse_json(AdditionalFields)
| project
Timestamp,
DeviceName,
ActionType,
ThreatName = tostring(AF.ThreatName),
FileName,
FolderPath,
WasRemediated = tostring(AF.WasRemediated),
ReportId
| order by Timestamp descAbout this query
Linux – Antivirus Activity – Last 7d
Purpose
Provides visibility into Defender AV enforcement, including malware and PUA detections.
Query
Use this for
- Validating PUA block mode effectiveness
- Investigating why a binary was blocked
- Tracking AV detections across Linux hosts
- Supporting security exception decisions
Typical activity you’ll see
- Malware detections
- PUA detections (block mode only)
- Scan reports
Explanation
This query is designed to provide insights into antivirus activities on Linux devices over the past seven days. It specifically focuses on events related to Microsoft Defender Antivirus enforcement, such as malware and potentially unwanted application (PUA) detections. Here's a breakdown of what the query does:
-
Identify Linux Devices: It first identifies all devices running on the Linux operating system by filtering the
DeviceInfotable for entries where theOSPlatformis "Linux". It then collects the uniqueDeviceIdvalues for these devices. -
Filter Device Events: The query then looks at the
DeviceEventstable to find events from the past seven days (Timestamp > ago(7d)) that are associated with the identified Linux devices. It specifically filters for events where theActionTypestarts with "Antivirus", indicating they are related to antivirus activities. -
Extract and Present Data: For each relevant event, it extracts and presents several pieces of information:
Timestamp: When the event occurred.DeviceName: The name of the device where the event was recorded.ActionType: The type of antivirus action taken.ThreatName: The name of the detected threat, extracted from theAdditionalFields.FileNameandFolderPath: The file and location involved in the event.WasRemediated: Whether the threat was successfully remediated, also extracted from theAdditionalFields.ReportId: An identifier for the report.
-
Order Results: The results are ordered by the
Timestampin descending order, so the most recent events appear first.
Use Cases
- Validating PUA Block Mode: Check if potentially unwanted applications are being effectively blocked.
- Investigating Blocked Binaries: Understand why certain binaries were blocked by the antivirus.
- Tracking AV Detections: Monitor antivirus detections across Linux devices.
- Supporting Security Decisions: Provide data to help make informed security exception decisions.
Typical Observations
- You might see records of malware detections.
- There could be detections of potentially unwanted applications, especially if block mode is enabled.
- Scan reports detailing the findings of antivirus scans.
Details

Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators