Skip to content

Adjusting individual detections

While Content Groups provide an easy way to turn a group of detections on or off, sometimes a finer-grained approach is needed. Sophos Linux Sensor (SLS) supports tuning the attributes of individual detection mechanisms to provide granular enable/disable controls, altering the priority of an alert, changing the response action, and more. Here are some common attribute overrides and examples.

Enabling a default-disabled detection

Refer to the List of Detection Categories and their Individual Detections for a list of default-disabled detections. For example, the New File Executed in Container detection is included in the SLS content packages, but is turned off by default. The tracking of the file telemetry that supports this detection can hurt performance for some systems, so you must opt-in to use it.

To turn this detection on, you must add the following lines to /etc/sophos/runtimedetections-rules.yaml:

New File Executed in Container:
  enabled: true

These lines override the enabled attribute of the New File Executed in Container detection. Restarting SLS after having applied the above snippet will enable the New File Executed in Container detection.

Setting a detection to have a "kill" response

Warning

You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.

All detections provided by Sophos alert by default, but most detections support additional response actions. A common use case for SLS is to set certain detections to an "enforcing" mode that will kill any processes that violate the detection rules.

For example, the Kernel Exploit detection is a good candidate for enforcement, as the detection has a very strong degree of certainty (i.e., very low false-positive rate). To turn on the "enforcing" mode for Kernel Exploit and kill offending processes in their tracks, override the responseActions attribute for this detection by placing the following override snippet in the host's configuration file:

Kernel Exploit:
  responseActions:
    - kill

Restarting SLS with the above configuration will ensure that any processes that violate the Kernel Exploit detection will be killed if the process generating the detection is still present.

Customizable attributes

Note

Not all properties are customizable as modification of some attributes would fundamentally change the nature of a detection. If the attributes in this list are insufficient for configuring detections, custom policies allow you to create customized detections for your environment. See Creating custom detection policies.

Detection Attribute Customizable?
policy no
enabled yes
alertMessage yes
comments yes
priority yes
responseActions yes
dryRun yes
rules no
alertLabels yes
additionalCategories yes
alertDetail yes
contentGroups yes


List Attribute Customizable?
type no
description yes
list yes

Advanced configuration: adjusting allowlists and blocklists

For more information on adjusting allowlists and blocklists, see Advanced Topics: Lists.

Back to top