Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=endpoint-data-collection-policy

Data Collection and Investigation policy

The Data Collection and Investigation policy lets you upload data from computers to our Data Lake. It also lets you use Live Response to access and investigate computers.

To view or edit the policy, do as follows:

  1. Go to My Products > Endpoint.
  2. Click Policies.

  3. Go to Data Collection and Investigation and click a policy to open its details.

    The base policy applies to all devices by default. You might also have custom policies for groups of devices that you specify. See About Policies.

  4. Click the Settings tab.

Next, configure the settings below.

Live Response

To change Live Response settings, you must be a Super Admin or have a custom role that includes Manage Data Collection and Investigation settings for computers. See Give admins access to Live Response.

Allow Live Response connection to computers: This setting lets you connect directly to computers to investigate and remediate possible security issues.

You can use Live Response to stop suspicious processes, restart computers with pending updates, browse folders, delete files, and more.

Live Response is turned on by default if you have Sophos MDR. Otherwise, it's turned off by default.

For information on using Live Response, see Set up and start Live Response.

If you turn on Live Response, but want to prevent access to sensitive computers, put them in a group and apply a policy with Live Response turned off.

Legacy Live Response exclusions

If you set Live Response exclusions before we introduced Data Collection and Investigation polices, we're automatically moving the excluded computers to custom policies with Live Response turned off.

Data Lake uploads

To change settings for data uploads, you must be a Super Admin or have a custom role that includes Manage Data Collection and Investigation settings for computers. See Add a custom role.

Upload to the Data Lake: This setting allows computers to upload security data to the Sophos Data Lake. You can query this data with Live Discover or our AI assistant.

Data Lake uploads are turned on by default.

If you want to prevent some devices from uploading data, put them in a group and apply a policy with Data Lake uploads turned off.

Legacy upload exclusions

If you set Data Lake upload exclusions before we introduced Data Collection and Investigation policies, we're automatically moving the excluded computers to custom policies with Data Lake uploads turned off.

Note

If you have a large environment, you might experience a sudden increase in network traffic when Data Lake uploads are turned on.

Note

You can add data from other Sophos products and third-party products to our Data Lake. For a list, see Products.

Exclusions

You can add an event collection exclusion. This stops collecting events for the Sophos journals and Data Lake, which can impact performance.

In-product workflow

Only use this exclusion type if Sophos Support asks you to.

Warning

Adding exclusions reduces your protection against security exploits.

For help on using exclusions, see Using exclusions safely.

Restriction

Event collection isn't available in Global Exclusions.

To create an event collection scanning exclusion, do as follows:

  1. Click Add Exclusions.

  2. In the Add Exclusion dialog, do as follows:

    1. Select the type of item you want to exclude.

      • File/folder: You can exclude a file or folder. You can use wildcards. For wildcard examples, see Example wildcards.
      • Process: You can exclude any process running from an application. For more information on process exclusions, see Process exclusions (Windows).

    2. In Value, specify the items you want to exclude.

    3. Click Add or Add another for additional exclusions.

  3. Click Save.