What is the Investigations feature?
Sophos Linux Sensor (SLS) has a feature that adds the ability to generate data that can aid in investigations of suspicious activity. The Investigations data provides historical context to alerts by allowing expert users to query security-relevant telemetry from their hosts running SLS.
SLS generates low-level telemetry about the running instance. This telemetry is then processed to construct higher-level events called Metaevents. When you turn on Investigations, the Metaevents are stored and exposed on an opt-in basis. You can use the resulting data to investigate security incidents, audit systems, or conduct further analysis. In a typical deployment, Investigations stores Metaevents in object stores such as AWS S3, MinIO, Azure Blob storage, and so on.
SLS outputs Metaevents in Apache Parquet, a columnar storage format with support across tools such as Apache Hive, AWS Athena, and GCP BigQuery.
The amount of storage space used by investigations can vary based on the type of workload, but the recommended amount of space is around 500MB per sensor per day. The average observed data size is 110.8 events per second, or 363.4MB a day once output to Parquet.