Update - 10/9/2023 - The new eBPF-based sensor for Microsoft Defender for Endpoint on Linux is now generally available.
While organizations rely on Linux-based machines to run mission critical workloads, attackers are increasingly targeting these environments. Therefore, it's critical that endpoint security solutions can help organizations protect their multi-platform estate.
Today, we are excited to announce that a new, eBPF-based sensor for Microsoft Defender for Endpoint on Linux is now generally available.
The initial implementation of Defender for Endpoint on Linux relies on auditd as the primary event provider, but now organizations can use eBPF as an alternative technology. It delivers additional system stability and performance optimizations for all supported Linux-based machines.
Here are the key benefits of using eBPF as the primary supplementary event provider:
Reduced system-wide auditd-related log noise
Optimized system-wide event rules causing conflict between applications
Reduced overhead for file event (file read/open) monitoring
Improved event rate throughput
Optimized performance for specific configurations
With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improving CPU and memory utilization and reduces disk usage. In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.
The eBPF sensor will be automatically enabled for all customers by default on agent versions “101.23082.0006” and above. In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. We recommend switching to eBPF so that you can also benefit from the new enhancements planned for future releases of eBPF.
Note:For customers using auditd in immutable mode, a reboot is required after enabling eBPF to clear the audit rules file. This is a limitation of auditd's immutable mode, which freezes the rules file and prevents it from being edited or overwritten until the reboot takes place.
To check your default event provider, run the command – “mdatp health” and check for the value of “supplementary_events_subsystem”. In case you want to disable eBPF, run the command - “sudo mdatp config ebpf-supplementary-event-provider --value [enabled/disabled]”. On disabling eBPF, the supplementary event provider switches back to auditd.