Use the new eBPF-based sensor for Defender for Endpoint on Linux

Update – 10/9/2023 – The new eBPF-based sensor for Microsoft for Endpoint on is now generally available.

While organizations rely on -based machines to run mission critical workloads, attackers are increasingly targeting these environments. Therefore, it's critical that endpoint security solutions can help organizations protect their multi-platform estate. 

Today, we are excited to announce that a new, eBPF-based sensor for Microsoft for Endpoint on is now generally available.

The initial implementation of for Endpoint on Linux relies on auditd as the primary event provider, but now organizations can use eBPF as an alternative technology. It delivers additional system stability and performance optimizations for all supported Linux-based machines.

Here are the key benefits of using eBPF as the primary supplementary event provider:

  • Reduced system-wide auditd-related log noise
  • Optimized system-wide event rules causing conflict between applications
  • Reduced overhead for file event (file read/open) monitoring
  • Improved event rate throughput
  • Optimized performance for specific configurations

With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improving CPU and memory utilization and reduces disk usage. In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.

The eBPF sensor will be automatically enabled for all customers by default on agent versions “101.23082.0006” and above. In the event eBPF doesn't become enabled or is not supported on any specific kernel, it will automatically switch back to auditd and retain all auditd custom rules. We recommend switching to eBPF so that you can also benefit from the new enhancements planned for future releases of eBPF.

Note: For customers using auditd in immutable mode, a reboot is required after enabling eBPF to clear the audit rules file. This is a limitation of auditd's immutable mode, which freezes the rules file and prevents it from being edited or overwritten until the reboot takes place.

To check your default event provider, run the command – “mdatp health” and check for the value of “supplementary_events_subsystem”. In case you want to disable eBPF,  run the command – “sudo mdatp config ebpf-supplementary-event-provider –value [enabled/disabled]”. On disabling eBPF, the supplementary event provider switches back to auditd.

More information


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.