Managing Config on Linux - supplementary_events_subsystem

Copper Contributor

Hi There

 

we have found that with the default config of the supplementary_events_subsystem set to auditd - CPU usage gets high on busier systems

 

We manually set to ebpf via CLI when we detect this but we would prefer to set it as a default from now on as it reduces CPU usage by orders of magnitude in nearly every case. e.g.

 

mdatp config ebpf-supplementary-event-provider --value enabled

 

We can manage most other settings  via the mdatp_managed.json file which we manage via puppet but it appears that supplementary_events_subsystem is not a value that can be managed at present? I certainly cannot find any documentation.

3 Replies
I am also wondering about this and would welcome a response from Microsoft.

Can somebody help?!

@Tempest62and everyone else It looks like microsoft has listened or it was on their roadmap all along but looks like we can configure it in the config just like other settings now, its also now enabled by default on updated versions of MDATP which is cool

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o...

Thanks for mentioning this @AnthonySomerset.

Do you have the setting in place and appearing as '[Managed]' if you query mdatp? I had a first pass at it a couple of weeks ago but wherever I placed the recommended block in my mdatp_managed.json file was either incorrect or missing a dependency as it knocked out all other managed settings.