Azure Security Center recently launched a limited preview of new analytics that leverage auditd records to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Security Center detections for Windows machines, these new capabilities can be used to detect suspicious processes, dubious login attempts, kernel module loading/unloading, and other activities that could indicate that a machine is under attack or have been breached. These are in addition to network detections that were previously available for Linux, as well as Windows, VMs.
Security Center collects audit records from Linux machines using auditd, one of the most common Linux auditing frameworks. Auditd has the advantage of having been around for a long time and living in the mainline kernel. The auditd system consists of two major components. The first is a set of user-space utilities offering a wide collection of operations allowing administrators to better adjust rules, analyze audit log files or troubleshoot if things are misconfigured. The second is a kernel-level subsystem which is responsible for monitoring system calls, filtering them by given rule set, and writing match messages to a buffer. Both components are communicating through a netlink socket.