anonymous user Thanks for reaching out.
Azure security center depends on log analytics agent to collect logs from the supported servers. Once you have the logs flowing in from the log agent by onboarding them from Azure security center portal we start getting the information.
Azure defender collects audit records from Linux machines by using auditd, one of the most common Linux auditing frameworks. auditd lives in the mainline kernel.
Auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Security Center continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign-in attempts, kernel module loading, and other activities.
You can see these numbers of alerts can be generated and tracked by ASC for linux : https://learn.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-linux
Once generated, you will find them here under your ASC section :
For more information about process and alerts on linux, check our github simulation for linux detection : https://github.com/Azure/Azure-Security-Center/blob/main/Simulations/Azure%20Security%20Center%20Linux%20Detections_v2.pdf