Query Details

Linux Script Activity Script Content

Query

let LinuxDeviceIds =
    DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceEvents
| where Timestamp > ago(24h)
| where DeviceId in (LinuxDeviceIds)
| where ActionType == "ScriptContent"
| project
    Timestamp,
    DeviceName,
    FileName,
    FolderPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    AdditionalFields,
    ReportId
| order by Timestamp desc

About this query

Linux – Script Activity (ScriptContent) – Last 24h

Purpose

High‑signal query for script‑based execution, one of the most common Linux attack techniques.

Query

Use this for

  • Detecting curl | bash patterns
  • Identifying inline or downloaded scripts
  • Investigating admin misuse or credential harvesting scripts
  • Understanding attacker intent (script logic is often exposed)

Typical activity you’ll see

  • Shell scripts executed by bash
  • Scripts dropped to /tmp
  • Inline script execution via CLI tools

Explanation

This query is designed to monitor and detect script-based activities on Linux devices over the past 24 hours, which is a common method used in Linux attacks. Here's a simplified breakdown of what the query does:

  1. Identify Linux Devices: It first identifies all devices running Linux by checking the operating system platform in the DeviceInfo table and collects their unique identifiers (DeviceId).

  2. Filter Recent Script Activities: It then looks into the DeviceEvents table to find events from the last 24 hours (Timestamp > ago(24h)) that are related to script execution (ActionType == "ScriptContent").

  3. Focus on Linux Devices: The query ensures that it only considers events from the Linux devices identified earlier.

  4. Extract Relevant Information: For each relevant event, it extracts details such as the time of the event, device name, file and folder paths, the process that initiated the script, and any additional fields or report IDs.

  5. Order by Time: Finally, it sorts these events in descending order based on the timestamp, so the most recent activities appear first.

This query is useful for detecting patterns like curl | bash, identifying scripts that are either inline or downloaded, investigating potential misuse by administrators, and understanding the intent of attackers by analyzing the logic exposed in scripts. Typical activities detected might include shell scripts executed by bash, scripts placed in temporary directories like /tmp, and inline script execution using command-line tools.

Details

Nathan Hutchinson profile picture

Nathan Hutchinson

Released: February 2, 2026

Tables

DeviceInfoDeviceEvents

Keywords

LinuxDevicesDeviceInfoDeviceEventsTimestampDeviceNameFileNameFolderPathInitiatingProcessFileNameInitiatingProcessCommandLineAdditionalFieldsReportId

Operators

letwheredistinctinprojectorder byago

Actions

GitHub