Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=LiveDiscoverDataLakeUploads

Data Lake uploads

Some features are being moved or renamed as we introduce a new policy for data collection and investigation.

You can configure devices and products to upload security data to a Data Lake so that you can query it with Live Discover.

We host the Data Lake in the cloud for you, but you can control the uploads of data to it.

By default, Data Lake uploads are turned on for devices running Endpoint Protection or Server Protection.

You can also upload data from other Sophos products or from third-party products.

Turn on uploads from computers and servers

To change settings for data uploads, you must be a Super Admin or have a custom role that includes Manage Data Collection and Investigation settings for computers. See Add a custom role.

You configure uploads separately for computers and servers.

Configure device uploads as follows.

  1. Go to My Products > Endpoint (or Server for servers).
  2. Click Policies.

  3. Go to Data Collection and Investigation and click a policy to open its details.

    The base policy applies to all devices by default. You might also have custom policies for groups of devices that you specify. See About Policies.

  4. Click the Settings tab.

  5. Turn on Upload to the Data Lake.

For more details, see Data Collection and Investigation policy or Server Data Collection and Investigation policy.

Turn on uploads from Sophos Mobile

To use Data Lake queries on data from Sophos Mobile, you need a Mobile Advanced or Intercept X for Mobile license in Sophos Central, and an Endpoint, Server, or MDR license that includes Sophos XDR.

Sophos Mobile uploads data from Android devices, iPhones, iPads, and Chromebooks to the Data Lake.

Note

The data we upload depends on the device management mode. For example, there's more data available for an Android Enterprise fully managed device than a device on which Sophos Mobile only manages Sophos Intercept X for Mobile.

To turn on Sophos Mobile uploads, do as follows:

  1. Go to My Products > General Settings.
  2. Under Mobile, click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

  4. Optional: Select Network logging to upload network log data, such as IP addresses, ports, timestamps, and involved apps, to the Data Lake.

    Network logging is available for the following devices:

    • Android devices on which Sophos Mobile manages the Sophos Mobile Control app.
    • iPhones and iPads on which Sophos Mobile manages the Sophos Intercept X for Mobile app.

Turn on uploads from other products

You can turn on uploads from other Sophos products or from third-party security products.

You turn on these uploads by integrating the products with Sophos Central.

For details of products you can integrate and step-by-step instructions for integration, see Products.