Developing an effective File Integrity Monitoring (FIM) system for large-scale infrastructures like Datadog's poses significant challenges that traditional methods cannot adequately address. Existing techniques, such as periodic filesystem scans and legacy event-based Linux monitoring technologies like inotify and auditd, fail to provide the necessary real-time insights and system-level context. By leveraging eBPF, Datadog's engineering team was able to observe real-time file activity directly from the kernel, offering detailed insights into which process or container triggered file changes. This approach, however, generated an overwhelming volume of data, necessitating innovative solutions to handle billions of events per minute without degrading performance. Datadog addressed this by implementing Agent-side rules and in-kernel filtering techniques, specifically using "approvers" and "discarders," to pre-filter up to 94% of events directly in the kernel. This method allowed for efficient processing and transmission of only critical events, significantly reducing data loads while maintaining full detection coverage. The overarching goal is not just to detect file changes but to enrich these events with context, providing security teams with actionable insights for effective investigation and response.