Overview of Sophos Linux Sensor architecture
Data collection
The Sophos Linux Sensor (SLS) collects many different data types by default.
- Container lifecycle
- File opens
- Kernel function calls
- Network activity
- Process lifecycle
- Raw system calls
Sensor architecture
SLS collects host telemetry through a kprobe event monitor. We use perf
, an instrumentation tool within the Linux kernel, to extract kprobe events. The sensor includes a telemetry service via a grpc
server to receive telemetry events.
Leveraging this telemetry, SLS adds detection, integration, and investigation capabilities.
Component | Description |
---|---|
Analytics | A detection engine that analyzes collected events. |
Integrations | Integrations allow alerts and metaevents to be exported into third party systems. |
Metaevents | A "flight recorder" that stores facts about the host for use in investigation. |
More information