Skip to content

Data Lake uploads

You can configure devices and products to upload security data to a Data Lake so that you can query it with Live Discover.

We host the Data Lake in the cloud for you, but you can control the uploads of data to it.

You can add data from third-party sources into our Data Lake. You can then include this data in your queries. You can combine it with data from Sophos products. At the moment you can add Microsoft 365 audit log data. We are adding more third-party data sources to this feature.

You can do as follows:

  • Turn on uploads for all devices.
  • Turn off uploads for specific devices. You might want to do this if those devices send too much data or you need to troubleshoot.
  • Turn on uploads for all Sophos Cloud Optix cloud environments.
  • Turn on uploads for specific Sophos Cloud Optix cloud environments.
  • Create a connection to your Microsoft 365 domain and upload audit log data.

For help with Live Discover see Live Discover.

Turn on uploads for devices

Restriction

To change settings for device uploads, you must be a Super Admin or Admin or have a custom role with Full access to Endpoint Protection or Server Protection. See Add a custom role.

You must configure uploads separately for computers and servers.

Configure device uploads as follows.

  1. Go to Overview > Global Settings.
  2. Under Endpoint Protection (or Server Protection for servers), click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

    If you have Sophos Managed Threat Response (MTR), devices automatically upload data, regardless of this setting. However, you can turn off uploads for specific devices.

  4. Optional: To turn off uploads for specific devices, do as follows:

    1. Under Exclusions, select devices in the Available list.
    2. Move the devices to the Excluded list.

Turn on uploads for Sophos Mobile

Configure Sophos Mobile uploads as follows.

  1. Go to Overview > Global Settings.
  2. Under Mobile, click Data Lake uploads.
  3. Turn on Upload to the Data Lake.

The data we upload depends on the device management mode. For example, there's more data available for an Android Enterprise fully managed device than a device on which Sophos Mobile only manages Sophos Intercept X for Mobile.

We don't currently upload data for Windows computers and Macs managed by Sophos Mobile.

Turn on uploads for Sophos Cloud Optix

You must be a Super Admin in Sophos Cloud Optix Advanced to turn on Data Lake uploads in Sophos Cloud Optix.

To use Data Lake queries on data from your cloud environments, you need a Sophos Cloud Optix Advanced license in Sophos Central, and an Intercept X license that includes Sophos XDR.

To turn on Sophos Cloud Optix uploads, do as follows.

  1. Sign in to Sophos Cloud Optix.
  2. Go to Settings > Advanced.
  3. Turn on XDR Data Uploads.

    You can upload activity log data for specific cloud environments or all your environments.

Data is uploaded in the order in which it's ingested by Sophos Cloud Optix. The most recent data is uploaded first.

Turn on uploads for Microsoft 365 audit logs

You can add Microsoft 365 audit log data to the Data Lake.

You must be a Microsoft 365 administrator.

You must have auditing turned on in Microsoft 365. If you don't, you're prompted to turn it on during setup.

To add Microsoft 365 data to the Data Lake, do as follows:

  1. Click Third-party integrations.
  2. Click Microsoft 365 user activity logs.
  3. On the Microsoft 365 Connection - Domains settings/status page, click + Add Microsoft 365 Connection.
  4. Optional: If auditing is not turned on, you can click the link on the Turn on Microsoft 365 auditing page.

    This takes you to Microsoft 365. You can turn on auditing, then return to Sophos Central. See Turn auditing on or off. You may be asked to authenticate by Microsoft to turn on auditing.

    Note

    It can take up to 12 hours for Microsoft 365 audit log data to appear after you have turned on auditing.

  5. Click Next.

    You are directed to Microsoft 365 for authentication.

  6. Follow the instructions from Microsoft to grant permission to create an application in Microsoft 365.

    You're asked to authorize at least once, depending on your Microsoft 365 environment.

    The connection should take about a minute.

The new domain appears in Microsoft 365 Connection - Domains settings/status.

In Live Discover > Query, a new category Microsoft 365 audit data appears. You can run the queries in this category on your Microsoft 365 data.

Back to top