Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Use the new eBPF-based sensor for Defender for Endpoint on Linux
Published Jul 19 2023 03:35 PM 12K Views

Update - 10/9/2023 - The new eBPF-based sensor for Microsoft Defender for Endpoint on Linux is now generally available.


While organizations rely on Linux-based machines to run mission critical workloads, attackers are increasingly targeting these environments. Therefore, it's critical that endpoint security solutions can help organizations protect their multi-platform estate. 

Today, we are excited to announce that a new, eBPF-based sensor for Microsoft Defender for Endpoint on Linux is now generally available.


The initial implementation of Defender for Endpoint on Linux relies on auditd as the primary event provider, but now organizations can use eBPF as an alternative technology. It delivers additional system stability and performance optimizations for all supported Linux-based machines.

Here are the key benefits of using eBPF as the primary supplementary event provider:


  • Reduced system-wide auditd-related log noise
  • Optimized system-wide event rules causing conflict between applications
  • Reduced overhead for file event (file read/open) monitoring
  • Improved event rate throughput
  • Optimized performance for specific configurations


With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improving CPU and memory utilization and reduces disk usage. In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.


The eBPF sensor will be automatically enabled for all customers by default on agent versions “101.23082.0006” and above. In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. We recommend switching to eBPF so that you can also benefit from the new enhancements planned for future releases of eBPF.


Note: For customers using auditd in immutable mode, a reboot is required after enabling eBPF to clear the audit rules file. This is a limitation of auditd's immutable mode, which freezes the rules file and prevents it from being edited or overwritten until the reboot takes place.


To check your default event provider, run the command – “mdatp health” and check for the value of “supplementary_events_subsystem”. In case you want to disable eBPF,  run the command - “sudo mdatp config ebpf-supplementary-event-provider --value [enabled/disabled]”. On disabling eBPF, the supplementary event provider switches back to auditd.


More information

Version history
Last update:
‎Oct 09 2023 09:24 AM
Updated by: