Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=cloud-native-security-create-profile

Create a Linux Runtime Detection profile

You can create a new Linux Runtime Detection Profile or create a new version of an existing profile.

Create a new profile

A new profile is best when you're new to Linux Runtime Detection capability or creating new groups within your environment. You can create a new profile to assign to a group of production servers where you want to tune the rules for your production environment. When you create a new profile, you can assign it to a Runtime Detection policy or export it for use in Sophos Linux Sensor. When you create a new profile, it's version 1 of that profile.

To create a new Linux Runtime Detection Profile, do as follows:

  1. Go to My Products > Cloud Native Security > Profiles.
  2. Click Create Profile.
  3. Enter a Profile Name.

  4. Select the Content Version you want to use for your Profile. The most recent content version is selected by default.

    Note

    The latest Content Version in Sophos Central may be different than the rtd_content_version seen on an endpoint. See Content Version.

  5. Optional: Enter a short Change Description to help you identify the profile version later.

  6. Select the rules you want by turning Enabled on or off for the individual rules on the Detection Analytics and Smart Policy tabs. See Advanced Linux Runtime Detection Profile configuration.
  7. Click Save.

Create a new version

Creating a new version of an existing profile provides a way to test and update profiles while keeping a history of the previous configurations. This is useful when tuning a pre-existing profile as it allows you to make changes without creating an entirely new profile. This is useful when tuning detections based on changes in your environment or when SophosLabs releases a new content version.

To create a new version of an existing Linux Runtime Detection Profile, do as follows:

  1. Go to My Products > Cloud Native Security > Profiles.
  2. Click the name of the profile you want to update.

  3. Click Create New Version.

    Tip

    You can also click the Actions button Actions. on the profile you want to update and click Create New Version.

  4. Select the Content Version you want to use for your Profile. The most recent content version is selected by default.

    Note

    The latest Content Version in Sophos Central may be different than the rtd_content_version seen on an endpoint. See Content Version.

  5. Optional: Enter a short Change Description to help you identify the profile version later.

  6. Select the rules you want by turning Enabled on or off for the individual rules on the Detection Analytics and Smart Policy tabs. See Advanced Linux Runtime Detection Profile configuration.
  7. Click Save.

Content Version

The latest Content Version in Sophos Central may have a different build number than the rtd_content_version shown on a Linux device. The build number is the last digit in the Content Version. For example, if the Content Version is 5.6.0.4, then 4 is the build number.

The Content Version may still be up to date, even if the build number is different. For example, in the following image, Sophos Central shows 5.6.0.6 as the latest Content Version and the endpoint shows the rtd_content_version is 5.6.0.4.

Content Version differences.

In this example, since the latest Content Version in Sophos Central and the rtd_content_version are both 5.6.0.X, the endpoint is up to date and is referencing the latest content.