Categories of detections
This section gives you an overview of the detection features that Sophos regularly updates.
Sophos Linux Sensor's (SLS) detection analytics provide various overlapping layers of system security monitoring to cover the many facets of an attack. Our philosophy isn't to create detection methods for specific security vulnerabilities or exploits but to cover attack categories and entire vulnerability classes by detecting the low-level behaviors required to carry out an exploit or other security violation. Therefore, our detections are geared towards low-level system monitoring, providing a lightweight mechanism for the observation and detection of behavioral events which are indicators of malicious behavior within an organization's environment.
SLS breaks up Detection Analytics into three classes. These detections minimize false positives and performance impact (CPU and network utilization). Most of these detections are turned on by default. SLS provides additional detections that are disabled by default - you can turn these on to provide more aggressive detection at the risk of performance or false positives. The detection classes are as follows:
|Detection class||Detected behavior|
|Application Exploitation||Exploitation of vulnerabilities in Linux applications, including memory corruption, unusual application behavior, and container escapes.|
|System Exploitation||Exploitation of vulnerabilities in the underlying Linux system, such as privilege escalation, tampering of security mechanisms (e.g. SELinux), use of common kernel exploitation methods, and container escapes.|
|Persistence||Retention of access across host restarts, including kernel backdoors or userland backdoors.P|
Like Detection Analytics, Smart Policy detections focus on unwanted system behavior rather than active exploitation techniques. These behaviors only generate alerts when observed in a process already deemed malicious by a Detection Analytics detection. In isolation, the behavior likely would not qualify as malicious activity.
For example, if SLS detects a malicious interactive shell through Detection Analytics, it generates an alert. If a
chmod event occurs within that interactive shell, that
chmod event is associated with the interactive shell incident via Smart Policy, thus making it worthy of an alert. Without an association with a malicious process, the
chmod event would not have created an alert.
The Audit Trail feature still records the
chmod event, even without the association.
There are four different groups of Smart policy detections that indicate the type of behavior being monitored. These are presented below, along with general categories of detected behavior.
|Detection group||Detected behavior|
|File Activity||Changes to system binaries, configuration changes, file deletion, and unusual files created.|
|Network Activity||Lateral movement, network service behavior, and network sniffing.|
|Process Activity||Abnormal process execution, compiler usage, debugging, scheduled task changes.|
|User Activity||Privileged command usage, risky developer activity, and user account changes.|
SLS allows for more detailed logging and tracing of system activity through audit trail detections. These detections include smart policy detections, but also monitor additional system behavior that would never be escalated to a full alert. Audit trail detections use the same detection groups as smart policy.
Updates to detection content
SLS detection Analytics and smart policy features are designed to allow you to regularly update them with new content from Sophos, while retaining any modifications you've made to adjust detection content for your environment. The updates allow for "constrained" customizations, such as changing the alert priority or adding items to allowlists for your environment.