Advanced Linux Runtime Detection Profile configuration
Linux Runtime Detection Profiles have multiple versions, rule categories, and filtering options to help you customize your profiles for your environment.
Versions
There are two different versions that can change in a Linux Runtime Detection Profile:
- Profile Version: Profile versions start with the initial creation of a profile and a new version is created each time you make changes. This allows you to track changes and updates to the profile over time.
- Content Version: This is the version of SophosLabs default content used in a profile.
Content updates
The Linux Runtime Detection Profile content updates affect Sophos Protection for Linux Agents (SPL) and Sophos Linux Sensors (SLS) differently:
- SPL: SPL Agents always leverage the latest version of SophosLabs default content. When SophosLabs releases an updated version of default content, SPL agents pull the content and update their pre-existing profiles based on the new content version. This means you may need update your profiles based on updates in the SophosLabs default content. For example, selecting True for the Modified filter on a profile will only show rules that you've previously edited so that you can check for changes.
- SLS: SLS lets you configure profiles based on the version of SophosLabs default content you're using for your sensors. SLS must be manually updated when a new content version is available.
Rule categories
Linux Runtime Detection Profiles have two tabs for rules: Detection Analytics and Smart Policy.
Detection Analytics
Detection Analytics includes detections based on low-level system monitoring that detect indicators of malicious behavior. SophosLabs separates them into the following categories:
- Application Exploitation: Detects the exploitation of applications running on the host, for example, memory corruption or unusual application behavior.
- System Exploitation: Detects the exploitation of vulnerabilities on the Linux system, for example, privilege escalation and tampering with security mechanisms.
- Persistence: Detects events that provide continued access after the host restarts, for example, kernel or userland backdoors.
Smart Policy
Smart Policy includes detections based on activity following an event where a process has already triggered an initial detection. These detections help provide context for additional events that may be malicious. SophosLabs separates them into the following categories:
- File Activity: Changes to system binaries, configurations, and file updates.
- Network Activity: Activity that indicates lateral movement and network service behavior.
- Process Activity: Abnormal process execution, compiler/debugger usage, and scheduled task changes and updates.
- User Activity: Privilege and user account updates.
Details
You can see the following details for the rules on each tab:
- Rule Name: The name of the rule. Click Rule Name at the top of the column to sort the rules alphabetically.
- Rule Description: The behavior that triggers the alert and why it may be considered malicious.
- Modified: Shows whether or not the rule has been modified from the SophosLabs default content.
- Configurable: Shows whether or not the rule can be customized.
- Category: The category of the rule. See Rule categories.
- Enabled: Shows whether the rule is turned on or off.
Filters
You can apply filters to the list to make finding individual rules easier. You can filter the list by Category, Enabled, Modified, and Configurable. To apply filters, do as follows:
- Click Show filters.
- Expand the categories you want to filter.
-
Select the items you want to show in the rule list.
Tip
You can apply multiple filters in multiple categories simultaneously.
-
Click Apply.
Click Hide filters to hide the filter options.
To remove any applied filters, click Clear All and then click Apply.
Note
Clicking Hide filters doesn't remove the filters from the rule list. You must clear the applied filters manually.
Rule details
You can click a rule to see the following details and customization options:
- Enabled: Shows if the rule is turned on or off.
- Description: The behavior that triggers the alert and why it may be considered malicious.
- Alert Message: The alert message displayed when the rule is triggered.
- Priority: The severity of the alert.
- Mitre attack techniques: The related Mitre technique for the rule. Clicking on the technique number takes you to the relevant Mitre page for full details on the detection.
- Output: The contents of the "output" field within a detection.
Allow and block lists
Allow/Block List lets you select from the allow and block lists associated with the rule from a drop-down menu. These lists let you turn individual items within a rule on or off to suit your environment.
Add an entry
You can click Add an entry to add a custom item to a rule.
You can differentiate between custom items and SophosLabs default items by looking for the Sophos shield which only appears on SophosLabs default items.
Click delete to remove a custom item from an Allow/Block List.