Microsoft has ported the activity monitoring service in the Sysmon system to the Linux platform. The eBPF subsystem is used to monitor the operation of Linux, which allows you to run handlers that work at the operating system kernel level. Separately, the SysinternalsEBPF library is being developed, which includes functions useful for creating BPF handlers for monitoring events in the system. The toolkit code is open under the MIT license, and the BPF programs under the GPLv2 license. The packages.microsoft.com repository hosts ready-made RPM and DEB packages suitable for popular Linux distributions.
Sysmon allows you to log detailed information about process creation and termination, network connections, and file manipulation. The log saves not only general information, but also information useful for analyzing security incidents, such as the name of the parent process, hashes from the contents of executable files, information about dynamic libraries, information about the time of creation / access / modification / deletion of files, data about direct access of processes to block devices. Filters can be configured to limit the amount of recorded data. The log can be saved through the regular Syslog.
Source: opennet.ru