Data Lake queries

Data Lake queries let you search security and compliance data that your devices upload to the cloud.

You can run Data Lake queries with Live Discover, a feature in our Threat Analysis Center.

Live Discover now lets you choose which data source you use when you set up and run a query:
  • Endpoints that are currently connected.
  • The Data Lake in the cloud.

How the Data Lake works

We host the Data Lake and provide scheduled “hydration queries” that define which data your endpoints upload to it.

However, before you use Data Lake queries, you must make sure that data is being uploaded. To turn on uploads of data, see Data Lake uploads.

We store the data for 7 days if you have an EDR license, or 30 days if you have an XDR license.

We provide pre-prepared Data Lake queries you can run. You can use them as they are or edit them. You can also create your own queries.

Benefits of Data Lake queries

Data Lake queries have some advantages over endpoint queries.

They always give results for all endpoints, whether they’re connected or not.

They can query data from the past 7 days (EDR) or 30 days (XDR).

They can be scheduled.

They can give you access to data uploaded by other Sophos products you're using (shown as “sensors” in Live Discover). For example:

  • Sophos Email can upload data if you have O365 integration and turn on Search and Destroy.
  • Sophos Firewall can upload data if you have Central Firewall Reporting set up.
Note For access to data from these other products, you need an Intercept X license that includes XDR.