BPF-Based Sensor for Microsoft Defender on Linux is generally available!
🔥NOW Available🔥
BPF-Based Sensor for Microsoft Defender on Linux is generally available!
The initial implementation of Defender for Endpoint on Linux relies on auditd as the primary event provider, but now organizations can use eBPF as an alternative technology. It delivers additional system stability and performance optimizations for all supported Linux-based machines.
📌Here are the key benefits of using eBPF as the primary supplementary event provider:
🔹Reduced system-wide auditd-related log noise
🔹Optimized system-wide event rules causing conflict between applications
🔹Reduced overhead for file event (file read/open) monitoring
🔹Improved event rate throughput
🔹Optimized performance for specific configurations
✔️With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improving CPU and memory utilization and reduces disk usage.
✔️In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.
💡The eBPF sensor will be automatically enabled for all customers by default on agent versions “101.23082.0006” and above.
Want to learn more?