Skip to content

Data Lake uploads

You can configure devices and products to upload security data to a Data Lake so that you can query it with Live Discover.

Note

Data Lake uploads are turned off by default so that customers can decide which devices to exclude before turning on the uploads. Large environment customers might experience a sudden increase in network traffic if the uploads are turned on by default.

We host the Data Lake in the cloud for you, but you can control the uploads of data to it.

You can add data from third-party sources into our Data Lake. You can then include this data in your queries. You can combine it with data from Sophos products. At the moment you can add Microsoft 365 audit log data. We are adding more third-party data sources to this feature.

You can do as follows:

  • Turn on uploads for all devices.
  • Turn off uploads for specific devices. You might want to do this if those devices send too much data or you need to troubleshoot.
  • Turn on uploads for all Sophos Cloud Optix cloud environments.
  • Turn on uploads for specific Sophos Cloud Optix cloud environments.
  • Create a connection to your Microsoft 365 domain and upload audit log data.

For help with Live Discover see Live Discover.

Turn on uploads for devices

Restriction

To change settings for device uploads, you must be a Super Admin or Admin or have a custom role with Full access to Endpoint Protection or Server Protection. See Add a custom role.

You must configure uploads separately for computers and servers.

Configure device uploads as follows.

  1. Go to My Products > General Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

    If you have Sophos Managed Detection and Response (MDR), devices automatically upload data, regardless of this setting. However, you can turn off uploads for specific devices.

  4. Optional: To turn off uploads for specific devices, do as follows:

    1. Under Exclusions, select devices in the Available list.
    2. Move the devices to the Excluded list.

Turn on uploads for Sophos Mobile

To use Data Lake queries on data from Sophos Mobile, you need a Mobile Advanced or Intercept X for Mobile license in Sophos Central, and an Endpoint, Server, or MDR license that includes Sophos XDR.

Sophos Mobile only uploads data from Android devices, iPhones, and iPads to the data lake. For Windows computers and Macs, turn on data lake uploads for Endpoint Protection. See Turn on uploads for devices.

Note

The data we upload depends on the device management mode. For example, there's more data available for an Android Enterprise fully managed device than a device on which Sophos Mobile only manages Sophos Intercept X for Mobile.

To turn on Sophos Mobile uploads, do as follows:

  1. Go to My Products > General Settings.
  2. Under Mobile, click Data Lake uploads.
  3. Turn on Upload to the Data Lake.
  4. Optional: Select Network logging to upload network log data, such as IP addresses, ports, timestamps, and involved apps, to the Data Lake.

    Network logging is available for the following devices:

    • Android devices on which Sophos Mobile manages the Sophos Mobile Control app.
    • iPhones and iPads on which Sophos Mobile manages the Sophos Intercept X for Mobile app.

Turn on uploads for Sophos Cloud Optix

You must be a Super Admin in Sophos Cloud Optix Advanced to turn on Data Lake uploads in Sophos Cloud Optix.

To use Data Lake queries on data from your cloud environments, you need a Sophos Cloud Optix Advanced license in Sophos Central, and an Intercept X license that includes Sophos XDR.

To turn on Sophos Cloud Optix uploads, do as follows.

  1. Sign in to Sophos Cloud Optix.
  2. Go to Settings > Advanced.
  3. Turn on XDR Data Uploads.

    You can upload activity log data for specific cloud environments or all your environments.

Data is uploaded in the order in which it's ingested by Sophos Cloud Optix. The most recent data is uploaded first.

Turn on uploads for Microsoft 365 audit logs

You can add Microsoft 365 audit log data to the Data Lake.

You must be a Microsoft 365 administrator.

You must have auditing turned on in Microsoft 365. If you don't, you're prompted to turn it on during setup.

To add Microsoft 365 data to the Data Lake, do as follows:

  1. Click Third-party integrations.
  2. Click Microsoft 365 user activity logs.
  3. On the Microsoft 365 Connection - Domains settings/status page, click + Add Microsoft 365 Connection.
  4. Optional: If auditing is not turned on, you can click the link on the Turn on Microsoft 365 auditing page.

    This takes you to Microsoft 365. You can turn on auditing, then return to Sophos Central. See Turn auditing on or off. You may be asked to authenticate by Microsoft to turn on auditing.

    Note

    It can take up to 12 hours for Microsoft 365 audit log data to appear after you have turned on auditing.

  5. Click Next.

    You are directed to Microsoft 365 for authentication.

  6. Follow the instructions from Microsoft to grant permission to create an application in Microsoft 365.

    You're asked to authorize at least once, depending on your Microsoft 365 environment.

    The connection should take about a minute.

The new domain appears in Microsoft 365 Connection - Domains settings/status.

In Live Discover > Query, a new category Microsoft 365 audit data appears. You can run the queries in this category on your Microsoft 365 data.