Skip to content

Managing Enabled Content

Once you're familiar with Sophos Linux Sensor's (SLS) detections and have successfully added default detections to your environment, you can consider adjusting SLS's default detections to suit your environment. This guide will help you understand the adjustments you can use to do so.

Content groups

SLS detection content is grouped to support high-level management of detection groups (Detection Analytics and Smart Policy). To manage the content groups that can be enabled, the enabled_content_groups configuration directive can be used in the host's configuration file (/etc/sophos/runtimedetections-rules.yaml).

The default configuration for enabled_content_groups is shown below:

enabled_content_groups:
  - Detection Analytics
  - Smart Policy
  - Audit

This configuration enables all detections that are associated with the Detection Analytics and Smart Policy content groups.

Note

Please make sure to include 'Audit' in the message type as in the documentation here.

The grouping of detections is hierarchical, so that all or a subset of detections can be enabled. In the example configuration below, all Smart Policy detections are marked enabled, but only "System Exploitation" is enabled for Detection Analytics:

enabled_content_groups:
  - Detection Analytics.System Exploitation
  - Smart Policy
  - Audit

This configuration effectively disables all Detection Analytics detections that were not related to System Exploitation.

Note

Some detections included in the SLS content package may be disabled by default at the individual detection level. This is due to the potential for the detection to impact performance, or because the detection may carry an increased risk of generating false-positive alerts. If an enabled content group includes one of these detections, that detection won't be enabled by default - it would need to be manually enabled. See Adjusting individual detections.