Ideally, the auto backend should choose the best available option for a given platform.

This means:

• for linux ebpf
• for windows etw (when [auditbeat] New ETW backend for FIM #45887 is merged)
• anything else fsnotify

This also means that if the system lacks support for these backends, we should fallback to the next best option, until we reach one that works. We need a fallback mechanism such as:

• for linux ebpf -> kprobes -> fsnotify
• for windows etw -> fsnotify
• the rest fsnotify

We still need to decide if this fallback mechanism should only happen when auto is the chosen option, or if it should also take effect on any case eg we chose kprobes, they fail, we fallback to fsnotify (cc @jamiehynds )