Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=TACScheduledQueries

Scheduled queries

You can schedule Live Discover queries to run regularly at set times.

Restriction

Scheduling is only available for Data Lake queries.

For help with Live Discover see Live Discover.

This video explains how to schedule a query.

Schedule a query

You can schedule a query as follows:

  1. Go to Threat Analysis Center and click Live Discover.

  2. In Live Discover, open the Query section (if it isn't already open).

    Live Discover page.

  3. Click Data Lake Queries and select the category that you want to use, for example Files. This shows you a list of the queries in that category.

    Data Lake query categories.

  4. Click the query you want to schedule, for example "Changed Windows files".

    List of queries.

  5. Optional: Click the arrow to open Select a time period and select the period to query. The default is the past 7 days.

    This option isn't the same as the query's schedule. It specifies how much past data the query runs on, not how often it runs.

    Select a time period.

  6. At the bottom of the Live Discover page, click Schedule Query.

    Schedule Query button.

  7. In the Schedule Query dialog, select the frequency, the day of the month and the end date.

    If you don't want to set an end date, select Until I cancel.

    The bar graph in the upper right shows how many more scheduled queries or reports you can create. Each admin can only have a hundred altogether for Sophos products that share this report format.

    Scheduled query settings.

  8. Click Create Scheduled Query.

  9. To see the new query, go to Threat Analysis Center > Preferences and select the Scheduled Queries tab.

    You can click a query to see its results or to edit its settings.

    You can have up to a hundred "Actively Scheduled" queries. These are queries that are enabled to run (the default setting).

    Scheduled queries list.

Get scheduled query results

To view the results of your scheduled queries, do as follows:

  1. Go to Threat Analysis Center > Preferences.

  2. On the Scheduled Queries tab, click a scheduled query to show its details.

    Scheduled queries tab.

  3. On the Results tab, a list shows each occasion when the query has run. Find the one you want and click View Results.

    Scheduled queries results list.

  4. In the query results, click the ellipsis icon ellipsis icon. beside data to investigate further with pivot queries. See Pivot queries

    Scheduled queries results.

Tip

To see recent results quickly, go to the Threat Analysis Center > Dashboard, look for Recently scheduled queries, and click the one you want.

Edit scheduled queries

You can edit scheduled queries to change when they run or the time period they query.

To edit scheduled queries, do as follows:

  1. Go to Threat Analysis Center > Preferences.

  2. On the Scheduled Queries tab, find the query you want. Under Actions, click the Edit icon.

    Edit icon.

  3. On the query's details page, you can do as follows:

    • On the Query tab, edit the query name, description, or the time period to query (for example, the past 7 days).
    • On the Schedule tab, turn the schedule on or off, or edit the schedule frequency and times.

    Scheduled query details page.

  4. Click Update Scheduled Query to save your changes.

Delete scheduled queries

To delete scheduled queries, do as follows:

  1. Go to Threat Analysis Center > Preferences
  2. On the Scheduled Queries tab, select a query or queries.

  3. In the upper right of the page, click Delete.

    Delete button.