{"id":51101410,"url":"https://github.com/xonoxitron/ebpf-sentinel","last_synced_at":"2026-06-24T11:00:50.212Z","repository":{"id":363887273,"uuid":"1265405818","full_name":"xonoxitron/ebpf-sentinel","owner":"xonoxitron","description":"Linux kernel security: Rust eBPF probes, scalable telemetry (NDJSON/gRPC), MITRE ATT\u0026CK detection-as-code, and Claude-powered SOAR triage tuned for ML workloads.","archived":false,"fork":false,"pushed_at":"2026-06-10T18:54:51.000Z","size":50,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T20:22:15.421Z","etag":null,"topics":["aya","detection-engineering","ebpf","edr","endpoint-detection","file-integrity-monitoring","grpc","linux-kernel-security","ml-infrastructure-security","ndjson","process-lineage","reverse-shell-detection","siem","soar","telemetry-pipeline","tracepoints"],"latest_commit_sha":null,"homepage":"https://github.com/xonoxitron/ebpf-sentinel","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xonoxitron.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-10T18:40:53.000Z","updated_at":"2026-06-10T18:56:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/xonoxitron/ebpf-sentinel","commit_stats":null,"previous_names":["xonoxitron/ebpf-sentinel"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/xonoxitron/ebpf-sentinel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xonoxitron%2Febpf-sentinel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xonoxitron%2Febpf-sentinel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xonoxitron%2Febpf-sentinel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xonoxitron%2Febpf-sentinel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xonoxitron","download_url":"https://codeload.github.com/xonoxitron/ebpf-sentinel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xonoxitron%2Febpf-sentinel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34728928,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-24T02:00:07.484Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aya","detection-engineering","ebpf","edr","endpoint-detection","file-integrity-monitoring","grpc","linux-kernel-security","ml-infrastructure-security","ndjson","process-lineage","reverse-shell-detection","siem","soar","telemetry-pipeline","tracepoints"],"created_at":"2026-06-24T11:00:49.448Z","updated_at":"2026-06-24T11:00:50.207Z","avatar_url":"https://github.com/xonoxitron.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ebpf-sentinel\n\n**🛡️ eBPF-native Linux endpoint detection · 📜 detection-as-code · 🤖 Claude-powered alert triage**\n\n[![CI](https://github.com/xonoxitron/ebpf-sentinel/actions/workflows/ci.yml/badge.svg)](https://github.com/xonoxitron/ebpf-sentinel/actions/workflows/ci.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n![Rust](https://img.shields.io/badge/rust-nightly%20+%20stable-orange)\n![eBPF](https://img.shields.io/badge/eBPF-Linux%205.8%2B-green)\n![MITRE ATT\u0026CK](https://img.shields.io/badge/MITRE%20ATT%26CK-mapped-red)\n\n\u003e Production-oriented proof-of-concept for **kernel-level Linux endpoint security**: eBPF sensors, scalable telemetry pipelines, YAML detection-as-code, and **Claude-assisted SOAR triage** — designed for AI/ML infrastructure where observability must not compete with GPU workloads.\n\n---\n\n## Why this project exists\n\n**ebpf-sentinel** is a hands-on implementation of a modern **Linux node sensor** — the kind of system used on detection platforms that protect large fleets of training and inference hosts. It demonstrates:\n\n- **eBPF kernel instrumentation** (tracepoints, ring buffers, in-kernel maps) with minimal userspace overhead\n- **Detection engineering** via version-controlled YAML rules mapped to **MITRE ATT\u0026CK**\n- **Security telemetry pipelines** (NDJSON, gRPC/protobuf) suitable for SIEM and internal platforms\n- **AI-assisted detection \u0026 response** using the Anthropic Messages API for structured triage on ML-heavy endpoints\n\nIf you are evaluating candidates for **Linux kernel security**, **EDR**, **detection engineering**, or **AI × security** roles — this repository is meant to be clone-and-buildable evidence of end-to-end ownership.\n\n---\n\n## Architecture\n\n```mermaid\nflowchart TB\n    subgraph kernel[\"Linux kernel · sentinel-ebpf\"]\n        direction TB\n        TP[\"Tracepoints\u003cbr/\u003eexecve · connect · openat\u003cbr/\u003efork · exec\"]\n        MAPS[\"BPF maps\u003cbr/\u003ePROCESS_TREE · MONITORED_PATHS\u003cbr/\u003ePerCpuArray scratch\"]\n        RB[(\"EVENTS RingBuf\u003cbr/\u003e256 KiB · mmap\")]\n        TP --\u003e MAPS\n        TP --\u003e RB\n    end\n\n    subgraph types[\"sentinel-common\"]\n        EVT[\"SentinelEvent\u003cbr/\u003efixed-size C layout\"]\n    end\n\n    subgraph daemon[\"sentinel daemon · Rust + Tokio\"]\n        direction TB\n        LOAD[\"ProbeLoader\u003cbr/\u003eBTF / CO-RE attach · map seeding\"]\n        CONS[\"RingBuf consumer\u003cbr/\u003eparse · mpsc channel\"]\n        ENR[\"Enricher\u003cbr/\u003eparent_comm · lineage\u003cbr/\u003eK8s CRI metadata\"]\n        RULES[\"RuleEngine\u003cbr/\u003eYAML rules + Sigma import\"]\n        SUP[\"AlertSuppressor\u003cbr/\u003eper-rule rate limits\"]\n        TRI[\"Claude Triager\u003cbr/\u003eoptional SOAR\"]\n        MET[\"Prometheus :9090\u003cbr/\u003eevents · alerts · suppressed\"]\n        SINK[\"MultiSink\u003cbr/\u003estdout · NDJSON · gRPC\"]\n\n        LOAD --\u003e CONS\n        CONS --\u003e ENR\n        ENR --\u003e|\"all events\"| SINK\n        ENR --\u003e RULES\n        RULES --\u003e SUP\n        SUP --\u003e|\"MITRE alerts\"| TRI\n        TRI --\u003e SINK\n        SUP --\u003e|\"non-suppressed\"| SINK\n        ENR --\u003e MET\n        RULES --\u003e MET\n        SUP --\u003e MET\n    end\n\n    subgraph config[\"Configuration \u0026 rules\"]\n        CFG[\"config/sentinel.yaml\"]\n        RULES_DIR[\"rules/ · sigma/\"]\n        CFG --\u003e LOAD\n        CFG --\u003e ENR\n        CFG --\u003e SINK\n        CFG --\u003e MET\n        RULES_DIR --\u003e RULES\n    end\n\n    subgraph external[\"Downstream\"]\n        ANTH[\"Anthropic API\"]\n        PLATFORM[\"SIEM / platform\u003cbr/\u003egrpc-ingest · log aggregation\"]\n        TRI -.-\u003e ANTH\n        SINK --\u003e PLATFORM\n    end\n\n    RB --\u003e|\"zero-copy events\"| CONS\n    EVT -.-\u003e kernel\n    EVT -.-\u003e daemon\n```\n\n**Telemetry path** — every kernel event is parsed, enriched, optionally emitted to sinks, and counted in Prometheus.\n\n**Detection path** — enriched events are evaluated against YAML/Sigma rules; matches pass through suppression and optional Claude triage before alert export.\n\n### Design principles for ML workloads\n\n| Concern | Approach |\n|--------|----------|\n| **CPU overhead** | Kernel events via tracepoints; single ring buffer; no per-event syscalls from probes |\n| **Memory** | Fixed-size `#[repr(C)]` events; per-CPU scratch map avoids BPF stack exhaustion |\n| **False positives on training nodes** | Claude triage prompt encodes ML context (PyTorch, checkpoints, telemetry) |\n| **Fleet scale** | Stateless daemon; gRPC ingest for centralized pipelines; NDJSON for log aggregation |\n| **Maintainability** | Rust userspace + Rust eBPF ([Aya](https://aya-rs.dev)); shared `sentinel-common` types |\n\n---\n\n## Feature matrix (job-relevant capabilities)\n\n| Capability | Implementation |\n|-----------|----------------|\n| **eBPF / kernel sensors** | `sentinel-ebpf`: execve, connect, openat, fork/exec lineage, FIM |\n| **Rust systems programming** | Workspace crates, `no_std` eBPF, async userspace daemon |\n| **Detection-as-code** | YAML rules, regex pre-compiled at startup, MITRE metadata |\n| **SIEM / log aggregation** | Structured JSON alerts; NDJSON sink |\n| **Internal platform / API design** | gRPC + Protobuf (`SentinelIngest`); reference `grpc-ingest` server |\n| **SOAR / automation** | Rule `actions: [alert, triage]` → Claude enrichment pipeline |\n| **AI for security operations** | Anthropic API integration with structured triage JSON |\n| **Process lineage** | In-kernel `PROCESS_TREE` map + userspace enricher |\n| **File integrity monitoring** | Configurable path prefixes; write-capable open detection |\n| **CI/CD** | GitHub Actions: build eBPF, unit tests, rustfmt |\n| **Test-driven development** | Rule engine unit tests (prefix, regex, MITRE rules) |\n\n---\n\n## Quick start\n\n\u003e **Run commands from the repository root** so relative paths like `rules_dir: rules` resolve correctly.\n\n### Prerequisites\n\n```bash\n# Toolchain (see rust-toolchain.toml)\nrustup toolchain install nightly\nrustup component add --toolchain nightly rust-src\ncargo install bpf-linker\n\n# System (Debian/Ubuntu)\nsudo apt-get install -y clang llvm libelf-dev\n\n# Kernel: Linux ≥ 5.8 with BTF\ntest -f /sys/kernel/btf/vmlinux \u0026\u0026 echo \"BTF OK\" || echo \"install kernel BTF package\"\n```\n\n### Build\n\n```bash\ngit clone https://github.com/xonoxitron/ebpf-sentinel.git\ncd ebpf-sentinel\nmake build\n# binaries: target/release/sentinel, target/release/grpc-ingest\n```\n\n### Try detection without root (30 seconds)\n\n```bash\nmake demo\n# or: ./examples/demo-detection.sh\n```\n\nRuns rule-engine unit tests and a synthetic reverse-shell pipeline test — no `sudo` required.\n\n### Run the live sensor\n\n```bash\n# CAP_BPF + CAP_PERFMON + CAP_SYS_ADMIN, or root\nexport ANTHROPIC_API_KEY=\"sk-ant-...\"   # optional, for Claude triage\n\nsudo -E ./target/release/sentinel --config config/sentinel.yaml\n```\n\n**Safe trigger** (second terminal) — bundled writable-staging rule:\n\n```bash\ncp /bin/ls /tmp/sentinel-demo \u0026\u0026 /tmp/sentinel-demo --version\nrm -f /tmp/sentinel-demo\n```\n\nExpect alert `T1574.006-001` on **stderr**. Full walkthrough: [`examples/README.md`](examples/README.md).\n\n### Alerts-only mode\n\n```bash\nsudo -E ./target/release/sentinel --config config/sentinel.yaml --no-emit-events\n```\n\n### Claude triage\n\nEnable in `config/sentinel.yaml`:\n\n```yaml\ntriage:\n  enabled: true\n  api_key_env: ANTHROPIC_API_KEY\n  model: claude-sonnet-4-20250514\n  max_tokens: 1024\n```\n\nRules with `actions: [alert, triage]` receive structured triage JSON on export.\n\n### gRPC ingest pipeline\n\n```bash\n# Terminal A — reference ingest server (0.0.0.0:50051)\n./target/release/grpc-ingest\n\n# Terminal B — agent with gRPC sink\nsudo -E ./target/release/sentinel --config config/sentinel-grpc.yaml\n```\n\nSee [`config/sentinel-grpc.yaml`](config/sentinel-grpc.yaml) and [`examples/docker-compose.yml`](examples/docker-compose.yml).\n\n---\n\n## Example output\n\n### Sink formats\n\n| Sink | Events | Alerts |\n|------|--------|--------|\n| **stdout** | JSON on stdout | JSON on **stderr** |\n| **ndjson** | `{\"record_type\":\"event\",\"data\":{...}}` | `{\"record_type\":\"alert\",\"data\":{...}}` |\n| **grpc** | `SentinelIngest.StreamEvents` | `SentinelIngest.StreamAlerts` |\n\n### Alert payload (core fields)\n\n```json\n{\n  \"rule_id\": \"T1059.004-001\",\n  \"title\": \"Interactive Shell Spawned by Network Utility\",\n  \"severity\": \"critical\",\n  \"mitre\": {\n    \"tactic\": \"Execution\",\n    \"technique\": \"T1059.004\"\n  },\n  \"event\": {\n    \"kind\": \"exec\",\n    \"pid\": 18341,\n    \"ppid\": 18340,\n    \"comm\": \"bash\",\n    \"parent_comm\": \"nc\",\n    \"path\": \"/bin/bash\",\n    \"lineage\": [\"nc\", \"systemd\"]\n  }\n}\n```\n\n\u003e **Note:** At `sys_enter_execve`, kernel `comm` is still the *pre-exec* task name. The enricher derives `comm` from the executable `path` basename so rules match the real binary.\n\n### NDJSON envelope\n\n```json\n{\"record_type\":\"alert\",\"data\":{\"rule_id\":\"T1574.006-001\",\"title\":\"...\",\"event\":{...}}}\n```\n\n### Claude triage enrichment (`triage` field on alert)\n\n```json\n{\n  \"triage\": {\n    \"severity\": \"critical\",\n    \"summary\": \"Reverse shell pattern: bash spawned directly by netcat.\",\n    \"reasoning\": \"Interactive shell with network utility parent is a high-fidelity execution chain.\",\n    \"mitre\": [\"T1059.004\", \"T1071.001\"],\n    \"remediation\": [\n      \"Isolate the node from the network.\",\n      \"Kill PID 18341 and parent 18340; preserve memory if feasible.\",\n      \"Audit UID 1000 credentials and recent outbound connections.\"\n    ],\n    \"false_positive_likelihood\": 0.03\n  }\n}\n```\n\n---\n\n## Detection-as-code\n\nRules live in [`rules/`](rules/) — one YAML file per detection. Each rule supports:\n\n- **Field matchers**: `eq`, `ne`, `prefix`, `suffix`, `contains`, `matches` (regex)\n- **Boolean logic**: `all` / `any` condition groups\n- **MITRE ATT\u0026CK** metadata\n- **Actions**: `alert`, `triage`\n\n```yaml\nid: T1059.004-001\ntitle: Interactive Shell Spawned by Network Utility\nseverity: critical\nmitre:\n  tactic: Execution\n  technique: T1059.004\nconditions:\n  all:\n    - field: kind\n      op: eq\n      value: exec\n    - field: comm\n      op: matches\n      value: \"^(bash|sh|zsh|dash|fish)$\"\n    - field: parent_comm\n      op: matches\n      value: \"^(nc|ncat|socat|python3?|perl|ruby|php|curl)$\"\nactions: [alert, triage]\n```\n\n### Event fields (enriched in userspace)\n\n| Kind | Key fields |\n|------|------------|\n| `exec` | `comm` (from path basename), `parent_comm`, `path`, `lineage`, `uid` |\n| `connect` | `comm`, `addr_family`, `dst_addr`, `dst_port` (IPv4 and IPv6) |\n| `open` | `comm`, `path`, `flags` |\n| `fileintegrity` | `comm`, `path`, `flags` |\n| `processfork` | `comm` (parent), `pid`, `ppid`, `uid` |\n| *(enriched)* | `container_id`, `pod_name`, `pod_namespace`, `pod_image` when K8s enabled |\n\n### Bundled detections\n\n| ID | Name | Severity |\n|----|------|----------|\n| `T1059.004-001` | Interactive shell spawned by network utility | Critical |\n| `T1574.006-001` | Binary executed from writable staging directory | High |\n| `CUSTOM-ML-EXFIL-001` | Model artifact accessed by transfer utility | High |\n| `T1003.008-001` | Access to credential store (`/etc/shadow`) | High |\n| `FIM-001` | File integrity violation on monitored path | Critical |\n| `NET-IPv6-001` | Outbound IPv6 connect | Low |\n| `sigma-sentinel-sigma-nc-shell` | Sigma: shell spawned by netcat | Critical |\n\n---\n\n## Project layout\n\n```\nebpf-sentinel/\n├── .github/workflows/ci.yml     # Build + test + integration CI\n├── config/\n│   ├── sentinel.yaml            # Default agent config\n│   └── sentinel-grpc.yaml       # gRPC sink example\n├── examples/\n│   ├── demo-detection.sh        # Hands-on demo (no root)\n│   ├── config/                  # alerts-only, FIM lab, triage, K8s, …\n│   ├── rules/                   # Custom rule lab (DEMO-TMP-ECHO-001)\n│   ├── sigma/                   # Sample Sigma imports\n│   ├── triggers/                # Safe detection fire scripts\n│   ├── scripts/                 # live-sensor, watch-alerts, gRPC pipeline\n│   ├── deploy/                  # systemd + DaemonSet manifests\n│   ├── prometheus/              # Scrape config\n│   ├── docker-compose.yml       # grpc-ingest reference stack\n│   └── README.md                # Full examples catalog\n├── rules/                       # Native YAML detections (MITRE-mapped)\n├── sigma/                       # Sigma rules (imported at startup)\n├── docs/                        # PORTABILITY.md, K8S.md\n├── sentinel-common/             # Shared #[repr(C)] event types\n├── sentinel-ebpf/               # Kernel probes (Aya, bpfel-unknown-none)\n│   └── src/\n│       ├── probes.rs            # execve · connect · openat · fork/exec\n│       └── helpers.rs           # emit · FIM · process tree\n└── sentinel/                    # Userspace daemon\n    ├── proto/sentinel.proto     # gRPC telemetry schema\n    ├── tests/integration.rs     # Pipeline + eBPF loader tests\n    └── src/\n        ├── loader.rs            # BTF attach · map seeding\n        ├── enricher.rs          # /proc seed · lineage · K8s\n        ├── rules/               # YAML + Sigma engine\n        ├── suppress.rs          # Per-rule rate limits\n        ├── metrics.rs           # Prometheus exporter\n        ├── triage.rs            # Claude SOAR integration\n        └── sinks/               # stdout · NDJSON · gRPC\n```\n\n---\n\n## Technology stack\n\n| Layer | Technology |\n|-------|------------|\n| Kernel probes | Rust eBPF ([Aya](https://aya-rs.dev)), tracepoints, ring buffer |\n| Userspace agent | Rust, Tokio, `aya`, `clap` |\n| Rules | YAML, `serde`, `regex` (pre-compiled) |\n| Triage | Anthropic Messages API, structured JSON |\n| Telemetry | JSON, NDJSON, gRPC/Protobuf (Tonic) |\n| Build | `aya-build`, `bpf-linker`, nightly `build-std` |\n\n---\n\n## Configuration reference\n\n[`config/sentinel.yaml`](config/sentinel.yaml):\n\n| Key | Description |\n|-----|-------------|\n| `rules_dir` | Path to YAML detection rules |\n| `sigma_dir` | Optional Sigma rule import directory (`sigma-{id}` prefix) |\n| `monitored_paths` | FIM path prefixes pushed to eBPF map |\n| `sinks` | `stdout`, `ndjson`, or `grpc` outputs |\n| `triage` | Claude model, token limit, API key env var |\n| `host` | Hostname label on events/alerts |\n| `metrics` | Prometheus scrape endpoint (`sentinel_events_total`, `sentinel_alerts_total`) |\n| `suppression` | Per-rule alert rate limits |\n\n### Sigma import\n\nSigma YAML rules under `sigma_dir` are translated into native rules at startup (`sigma-{id}` prefix).\n\n| Sigma field | Sentinel field | Notes |\n|-------------|----------------|-------|\n| `Image` | `comm` | Path suffixes normalized (`/bin/bash` → `bash`) |\n| `ParentImage` | `parent_comm` | Same normalization |\n| `CommandLine` | `path` | |\n| `DestinationIp` | `dst_addr` | |\n| `DestinationPort` | `dst_port` | |\n| `logsource.category` | `kind` | `process_creation` → `exec`, etc. |\n\nUnsupported Sigma fields are skipped with a warning.\n\n### Prometheus\n\nWhen `metrics.enabled: true`, scrape `http://\u003chost\u003e:9090/metrics`:\n\n```bash\ncurl -s localhost:9090/metrics | grep sentinel_\n```\n\n---\n\n## Roadmap\n\n- [x] CO-RE / BTF portability hardening for multi-kernel fleets\n- [x] IPv6 connect telemetry (`sys_enter_connect` v6 parsing)\n- [x] Alert suppression and per-rule rate limiting\n- [x] Prometheus metrics (`sentinel_events_total`, `sentinel_alerts_total`)\n- [x] Kubernetes pod metadata enrichment (CRI / container ID)\n- [x] Sigma rule import\n- [x] Integration tests with `testcontainers` + privileged CI runners\n\n---\n\n## Development\n\n```bash\nmake demo        # hands-on detection demo (recommended first step)\nmake test        # unit tests\nmake integration # integration + sudo eBPF loader test\nmake fmt         # rustfmt\nmake clippy      # lint (strict)\nmake ingest      # run gRPC reference server\n```\n\n### Troubleshooting\n\n| Symptom | Fix |\n|---------|-----|\n| `kernel BTF not found` | Install `linux-image-$(uname -r)` debug/BTF package; see [`docs/PORTABILITY.md`](docs/PORTABILITY.md) |\n| `Operation not permitted` loading BPF | Run as root or grant `CAP_BPF`, `CAP_PERFMON`, `CAP_SYS_ADMIN` |\n| No rules match | Run from repo root; check `rules_dir` path in config |\n| No alerts on stderr | Alerts go to **stderr**; events go to **stdout** when using the stdout sink |\n| gRPC connection refused | Start `grpc-ingest` before the agent; verify `endpoint` in config |\n\n---\n\n## Security note\n\nThis agent loads eBPF programs into the kernel. Run only on systems you own. Review rules before enabling Claude triage in production — alerts may contain sensitive host telemetry.\n\n---\n\n## License\n\n[MIT](LICENSE)\n\n---\n\n## Keywords\n\n`eBPF` · `Linux kernel security` · `endpoint detection` · `EDR` · `detection engineering` · `detection-as-code` · `MITRE ATT\u0026CK` · `Rust` · `Aya` · `tracepoints` · `ring buffer` · `SIEM` · `SOAR` · `Claude` · `Anthropic` · `security automation` · `ML infrastructure security` · `GPU training nodes` · `telemetry pipeline` · `gRPC` · `NDJSON` · `file integrity monitoring` · `process lineage` · `reverse shell detection`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxonoxitron%2Febpf-sentinel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxonoxitron%2Febpf-sentinel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxonoxitron%2Febpf-sentinel/lists"}