Getting started with Sophos Linux Sensor detections
What are detections?
Sophos Linux Sensor (SLS) detections are a collection of drop-in configurations that allow you to instantly gain visibility into security incidents in your environment. The Sophos research team curates this coverage using real-world attacker data to provide accurate insights into attacker activity - without impacting the performance of your systems.
Detections are classified into the following categories:
- Default - This is the unmodified content package provided by Sophos Labs and downloaded via Sophos Central. See Categories of detections.
- Modified - Modifications to default content. For example, you can update an alert action, add an automated response, or override the priority of an alert. See Adjusting individual detections.
- Custom - Custom detections written by a client. See Creating custom detection policies.
Note
Sophos only supports unmodified default detection content. For assistance with modified content and custom detections, contact Sophos Professional Services.
What coverage is provided by SLS detections?
There are two key categories of coverage: Core and Enhanced.
Core Detection Coverage maximizes usability and performance, offering a range of detections that work independent of environment characteristics and incur a minimal performance impact regardless of workload. You can think of core detections like burglar alarms on windows, doors, air vents, and other things that are more likely to indicate something unwanted is happening in your home.
Enhanced Detection Coverage provides much deeper insight into system activity. These detections enable SLS to more intelligently determine the security relevance of this activity and provide more context for incident analysts. However, this increased depth does require more processing power, and not all of the detections exclusive to Enhanced detection are suitable for each workload type.
Installing SLS detections
Getting set up with the default SLS detections is straightforward. You must install the SLS Content package alongside your sensor. See Installing Sophos Linux Sensor.
Where are detections located?
The SLS content package is installed in /var/lib/sophos/content/runtimedetections-content.yaml, a single content file containing all detections with their default configurations. We don't recommend changing the contents of this file because it's overwritten when you update the content package.
You can override the detections and lists within this file by creating and editing the /etc/sophos/runtimedetections-rules.yaml configuration file. When the content package is updated, /var/lib/sophos/content/runtimedetections-content.yaml is overwritten but /etc/sophos/runtimedetections-rules.yaml is not. This keeps any modifications you've made to adjust detection content for your environment.
When a sensor starts up, it reads the packed content and then applies any overrides. The sensor writes a "reference" copy of the merger of the runtimedetections-content.yaml with the runtimedetections-rules.yaml to this location: /var/run/sophos/cache_analytics.yaml. This cache yaml file represents the result of the merger, which you can inspect or save for debugging or auditing purposes.
Updates to detection content
SLS Detections allow you to regularly update them with new content from Sophos. When an update is made available, you simply need to download and install the new content package. See Installing SLS detections.
If you have installed SLS content using a standard package manager, updates will be made available in the Sophos package repository, much the same as the sensor. Updates adhere to the system update management programs you have in place (e.g. weekly apt updates). See Updating Sophos Linux Sensor.
Kubernetes Users
Kubernetes deployments with content should be updated with the associated content version for the image name (e.g. sophos-linux-content:5.4.1.257)