Data Lake uploads

You can configure devices to upload security data to a Data Lake so that you can query it with Live Discover.

We host the Data Lake in the cloud for you, but you can control the uploads of data to it.

Restriction To change these settings, you must be a Super Admin or Admin or have a custom role with Full access to Endpoint Protection or Server Protection. See Add a custom role.
You can do as follows:
  • Turn on uploads for all devices.
    Restriction macOS devices can't currently upload data.
  • Turn off uploads for specific devices. You might want to do this if those devices send too much data or you need to troubleshoot.

You must configure uploads separately for computers and servers.

Configure uploads as follows.

  1. Go to Overview > Global Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

    If you have Sophos Managed Threat Response (MTR), devices automatically upload data, regardless of this setting. However, you can turn off uploads for specific devices.

  4. Optional To turn off uploads for specific devices, do as follows:
    1. Under Exclusions, select devices in the Available list.
    2. Move the devices to the Excluded list.

    Any macOS devices on your network are listed, even though they can't currently upload data.

Each device can only upload 250MB of data daily. When devices reach this limit, they don't send or store more data until the limit is reset. On Windows, the reset occurs at midnight local time. On Linux, the reset occurs every 24 hours since the service started.

For information about running queries on the Data Lake, see Live Discover.