Today, Linux is one of the fastest growing platforms on Azure. Linux based images form over 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growing every day, the sophistication of cyber-attacks targeting Linux continues to grow.
As part of the Sysinternals 25th anniversary, the Sysinternals team released a new Sysmon tool supporting Linux. Sysmon for Linux is an open-source Linux system monitoring tool that helps with providing details on process creations, network connections, file creations and deletions among other things. Sysmon for Linux is based on an eBPF (Extended Berkeley Packet Filter)-based technology targeted at in-kernel monitoring without making any changes to the kernel source code.
By collecting the events it generates using Azure Sentinel and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Sysmon for Linux can be used to analyze pre compromise and post compromise activity and when correlated with Azure Security Center (ASC)/Azure Defender (AzD) Linux detections this helps detecting the end-to-end attacker activity.
In this blog post we will be taking a quick look at different log events made available by Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel.