Endpoint Detection and Response (EDR)
eBPF-based File I/O Monitoring
Product Category
Objective
Implement eBPF programs to monitor and capture file I/O events on Linux systems, providing detailed telemetry data for enhanced security monitoring.
Details
System Calls Intercepted: open, openat, creat, unlink, rename, and more.
Data Captured:
- Timestamp
- Process ID and Parent Process ID
- Process file name and path
- Command line used to initiate the process
- Type of activity (e.g., open, rename, delete)
- File I/O flags and modes
Use Case
This implementation was used to detect unauthorized access or modifications to sensitive files, track changes in system files for compliance, and improve the overall security posture by providing real-time alerts on suspicious file activities.