Thanks @FranklinFurter
You're probably seeing this because of your ZFS filesystem. ZFS is not currently on the list of default file systems that Defend monitors on linux. You can add it using the advanced options section of policy as described here: Configure Linux file system monitoring | Elastic Security Solution [8.14] | Elastic
You specifically will want to edit linux.advanced.fanotify.monitored_filesystems
I believe if you set that you will start to see the events you're looking for.