Sysmon [1] is a popular monitoring tool on Windows. It is based on ETW and its custom driver and provides great details on what is happening in the system. To make the logs relevant, we need to configure it (SwiftOnSecurity created a good base config file [2]).<p>Yesterday, MS released the first version of Sysmon for Linux and made it open-source (MIT license)[3]. It is based on eBPF. In [4] they show how they use it in Azure to collect events from the Linux VMs.<p>- [1] <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon" rel="nofollow">https://docs.microsoft.com/en-us/sysinternals/downloads/sysm...</a><p>- [2] <a href="https://github.com/SwiftOnSecurity/sysmon-config" rel="nofollow">https://github.com/SwiftOnSecurity/sysmon-config</a><p>- [3] <a href="https://github.com/Sysinternals/SysmonForLinux" rel="nofollow">https://github.com/Sysinternals/SysmonForLinux</a><p>- [4] <a href="https://techcommunity.microsoft.com/t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054" rel="nofollow">https://techcommunity.microsoft.com/t5/azure-sentinel/automa...</a>