Data Lake uploads

You can configure devices and products to upload security data to a Data Lake so that you can query it with Live Discover.

We host the Data Lake in the cloud for you, but you can control the uploads of data to it.

You can do as follows:

  • Turn on uploads for all devices.
    Restriction macOS devices can't currently upload data.
  • Turn off uploads for specific devices. You might want to do this if those devices send too much data or you need to troubleshoot.
  • Turn on uploads for all Sophos Cloud Optix cloud environments.
  • Turn on uploads for specific Sophos Cloud Optix cloud environments.

For help with Live Discover see Live Discover.

Configure uploads for devices

Restriction To change settings for device uploads, you must be a Super Admin or Admin or have a custom role with Full access to Endpoint Protection or Server Protection. See Add a custom role.

You must configure uploads separately for computers and servers.

Configure device uploads as follows.

  1. Go to Overview > Global Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

    If you have Sophos Managed Threat Response (MTR), devices automatically upload data, regardless of this setting. However, you can turn off uploads for specific devices.

  4. Optional To turn off uploads for specific devices, do as follows:
    1. Under Exclusions, select devices in the Available list.
    2. Move the devices to the Excluded list.

    Any macOS devices on your network are listed, even though they can't currently upload data.

Configure uploads for Sophos Cloud Optix

Restriction You must be a Super Admin in Sophos Cloud Optix Advanced to turn on Data Lake uploads in Sophos Cloud Optix

Configure Sophos Cloud Optix uploads as follows.

  1. Sign in to Sophos Cloud Optix.
  2. Go to Settings > Advanced.
  3. Turn on XDR Data Uploads.

    You can upload activity log data for specific cloud environments or all your environments.

If you are uploading data from your cloud environments to the Data Lake using Sophos Cloud Optix, the data is uploaded in the order in which it's ingested by Sophos Cloud Optix. The most recently ingested data is uploaded first.