Overview of Sophos Linux Sensor architecture
Data collection
The Sophos Linux Sensor (SLS) collects many different data types by default.
- Container lifecycle
- File opens
- Kernel function calls
- Network activity
- Process lifecycle
- Raw system calls
Sensor architecture
SLS collects host telemetry through a kprobe event monitor. We use perf, an instrumentation tool within the Linux kernel, to extract kprobe events. The sensor includes a telemetry service via a grpc server to receive telemetry events.
Leveraging this telemetry, SLS adds detection, integration, and investigation capabilities.
| Component | Description |
|---|---|
| Analytics | A detection engine that analyzes collected events. |
| Integrations | Integrations allow alerts and metaevents to be exported into third party systems. |
| Metaevents | A "flight recorder" that stores facts about the host for use in investigation. |
More information