Skip to content

Overview of Sophos Linux Sensor and its components


Sophos Linux Sensor (SLS) is a lightweight Linux sensor that uses APIs to integrate runtime threat detection, in host or container, with your existing threat response tools.

With SLS, you can do the following:

  • Monitor and detect unwanted security events across your enterprise Linux systems.
  • Integrate SLS with your existing logging and alerting infrastructure.
  • Create custom rule sets ("detections") for detection and response.

Overview of components


A lightweight agent installed on Linux hosts, collecting events from the hosts to trigger alert generation or automated response.


Sets of detection/response rules that monitor specified resources for a certain set of abnormal activity or conditions.


The output of detection policies, notifying when systems behaviors violate the specified policy.

Back to top