Skip to content

Getting started with Sophos Linux Sensor Detections

What are Detections?

Sophos Linux Sensor (SLS) Detections are a collection of drop-in configurations that allow you to instantly gain visibility into security incidents in your environment. The Sophos research team curates this coverage using real-world attacker data to provide accurate insights into attacker activity - without impacting the performance of your systems.

Detections are classified into the following categories:


Sophos only supports unmodified default detection content. For assistance with modified content and custom detections, contact Sophos Professional Services.

What coverage is provided by SLS Detections?

There are two key categories of coverage: Core and Enhanced.

Core Detection Coverage maximizes usability and performance, offering a range of detections that work independent of environment characteristics and incur a minimal performance impact regardless of workload. You can think of core detections like burglar alarms on windows, doors, air vents, and other things that are more likely to indicate something unwanted is happening in your home.

Enhanced Detection Coverage provides much deeper insight into system activity. These detections enable SLS to more intelligently determine the security relevance of this activity and provide more context for incident analysts. However, this increased depth does require more processing power, and not all of the detections exclusive to Enhanced detection are suitable for each workload type.

Installing SLS Detections

Getting set up with the default SLS Detections is straightforward. You must install the SLS Content package alongside your sensor. The following links will guide you through the download, verification, and installation of SLS Detection content:

Where are detections located?

The SLS packaged content is installed in /var/lib/sophos/content/runtimedetections-content.yaml, a single content file containing all detections with their default configurations. You can override the detections and lists within this file with customizations in the host's configuration file - /etc/sophos/runtimedetections-rules.yaml. While the content file will be updated whenever the SLS content package is upgraded, the host's configuration file won't be modified by a SLS package and will retain any overrides and customizations across SLS content releases.

The location of the content file is controlled with the content_path configuration directive, which can be applied in the host's configuration file. By default, the value of content_path is set to /var/lib/sophos/content/runtimedetections-content.yaml. Setting a custom content_path will direct the sensor to read content from the specified location.

When a sensor starts up, reads the packed content, and then applies any overrides, the sensor writes a "reference" copy of the merger of the runtimedetections-content.yaml with the runtimedetections.yaml to this location: /var/run/sophos/cache_analytics.yaml. This cache yaml file represents the result of the merger, which you can inspect or save for debugging or auditing purposes.

Updates to Detection Content

SLS Detections are designed to allow you to regularly update them with new content from Sophos, while retaining any modifications you've made to adjust detection content for your environment. The updates allow for "constrained" customizations, such as changing the alert priority or adding items to allowlists for your environment.

Back to top