diff --git a/x-pack/auditbeat/seccomp_linux.go b/x-pack/auditbeat/seccomp_linux.go
index 709d973465d6..5dd05618d31c 100644
--- a/x-pack/auditbeat/seccomp_linux.go
+++ b/x-pack/auditbeat/seccomp_linux.go
@@ -35,5 +35,13 @@ func init() {
 		); err != nil {
 			panic(err)
 		}
+
+		// The sessionmd processor kerneltracingprovider needs
+		// memfd_create to operate via EBPF
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"memfd_create",
+		); err != nil {
+			panic(err)
+		}
 	}
 }