Skip to content
Last update: 2022-05-11

Sophos Linux Sensor FAQ

As part of the Sophos acquisition of Capsule8, the Sophos business owners have taken the decision to ‘rebrand’ the Capsule8 sensor and ‘default content.’ (this doc will be released on/about the release of the 5.0 version of run timed detections sensor.

What's changed

Sophos has released a sensor and content that has removed most references to Capsule8 in the installation, update and operation of those components. See this documents page describing the current state.

What level of SemVer change is this?

a major change. We’re moving to version 5.x.y.

I have existing capsule8 yaml files I use to configure the sensor and policies, will I have to change them?

No. See the list below for order of evaluation. The 5.0 sensor will look first for the capsule8 env then the /etc/capsule8 paths, and if found, will use them and look no further.

Will my sensor logs show which paths the sensor ended up using?

Yes, it will show the sensor yaml and the analytics/rules yaml, if the latter is present.

How long do I have to update my configs to use the Sophos renamed yaml config files (capsule8-sensor.yaml and capsule8-analytics.yaml)?

Sophos will support the legacy Capsule8 config yaml files through …

I’ve written SIEM rules to categorize alerts from Capsule8, what’s changed there?

Categories of format C8.XX.XX will be changed to RTD.XX.XX. Categories of format MITRE.XX.XX are unchanged.

I use ansible or other Config Management tooling that references the capsule8 binary, how will this change affect me?

The binary name will now be called sophoslinuxsensor.

I update my sensor by going to the package repository and running (the equivalent of) apt update capsule8-sensor. How will this change affect me?

A new series of .deb/.rpm packages will be made available in Summer 2022 with a replacement for the legacy Capsule8 package repository that you can integrate your OS package managers with. Existing package repos (hosted in won't receive the 5.x series of Sensor or content updates.

I don’t use default content, having built customized rules. How will this change affect me?

Sophos will provide an optional one-time cutover service to help you migrate from your customizations that will fit within the ‘default content’ process.

Back to top