Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=endpoint-data-collection-policy

Data Collection and Investigation policy

The Data Collection and Investigation policy lets you upload data from computers to our Data Lake. It also lets you use Live Response to access and investigate computers.

To view or edit the policy, do as follows:

  1. Go to My Products > Endpoint.
  2. Click Policies.

  3. Go to Data Collection and Investigation and click a policy to open its details.

    The base policy applies to all devices by default. You might also have custom policies for groups of devices that you specify. See About Policies.

  4. Click the Settings tab.

Next, configure the settings below.

Live Response

To change Live Response settings, you must be a Super Admin or have a custom role that includes Manage Data Collection and Investigation settings for computers. See Give admins access to Live Response.

Allow Live Response connection to computers: This setting lets you connect directly to computers to investigate and remediate possible security issues.

You can use Live Response to stop suspicious processes, restart computers with pending updates, browse folders, delete files, and more.

Live Response is turned on by default if you have Sophos MDR. Otherwise, it's turned off by default.

For information on using Live Response, see Set up and start Live Response.

If you turn on Live Response, but want to prevent access to sensitive computers, put them in a group and apply a policy with Live Response turned off.

Legacy Live Response exclusions

If you set Live Response exclusions before we introduced Data Collection and Investigation polices, we're automatically moving the excluded computers to custom policies with Live Response turned off.

Data Lake uploads

To change settings for data uploads, you must be a Super Admin or have a custom role that includes Manage Data Collection and Investigation settings for computers. See Add a custom role.

Upload to the Data Lake: This setting allows computers to upload security data to the Sophos Data Lake. You can query this data with Live Discover or our AI assistant.

Data Lake uploads are turned on by default.

If you want to prevent some devices from uploading data, put them in a group and apply a policy with Data Lake uploads turned off.

Legacy upload exclusions

If you set Data Lake upload exclusions before we introduced Data Collection and Investigation policies, we're automatically moving the excluded computers to custom policies with Data Lake uploads turned off.

Note

If you have a large environment, you might experience a sudden increase in network traffic when Data Lake uploads are turned on.

Note

You can add data from other Sophos products and third-party products to our Data Lake. For a list, see Products.