Skip to content
Last update: 2022-05-16

Overview of Sophos Linux Sensor architecture

Data collection

The Sophos Linux Sensor (SLS) collects many different data types by default.

  • Container lifecycle
  • File opens
  • Kernel function calls
  • Network activity
  • Process lifecycle
  • Raw system calls

Sensor architecture

SLS collects host telemetry through a kprobe event monitor. We use perf, an instrumentation tool within the Linux kernel, to extract kprobe events. The sensor includes a telemetry service via a grpc server to receive telemetry events.

Leveraging this telemetry, SLS adds detection, integration, and investigation capabilities.

Component Description
Analytics A detection engine that analyzes collected events.
Integrations Integrations allow alerts and metaevents to be exported into third party systems.
Metaevents A "flight recorder" that stores facts about the host for use in investigation.

More information

Back to top