Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=LiveDiscoverQueryLimits

Limits on use of queries

We put limits on the use of Live Discover queries to prevent unwanted behavior.

Limits on the number of queries

We put limits on the number of queries you can run in a set time.

The limits for each Sophos Central account are currently as follows.

For scheduled and API queries combined:

  • Up to 1,000 queries per day.
  • Up to 10 queries per minute.

For queries that you run in the Live Discover user interface:

  • No limit on queries per day.
  • Up to 15 queries per minute.

If your account exceeds a limit, the Telemetry report in Live Discover shows an error message:

You've exceeded the number of queries that your account can run in a set time.

Guardrails

Endpoint and server devices and Sophos Central have guardrails to prevent queries from causing unwanted behavior.

Guardrails on devices

  • Watchdog: Devices have a watchdog that will end a query if it exceeds 30 per cent of the device's available CPU for 12 seconds or uses more than 256 MB of memory.

  • Return data size limit: Each device is limited to 10 MB of data for the response to any single query.

  • Single row data size limit: Each device is restricted to a maximum of 1 MB of data for a single row.

    Note

    If query results exceed the single row data size limit, the query appears to return data, but nothing shows in Sophos Central. A query can exceed the limit when looking for the content of a PowerShell event or registry key.

Guardrail on Sophos Central

Sophos Central limits the number of rows from all responding devices to a maximum of 100K. When this limit is reached, Sophos Central drops the additional data returned and instructs devices still processing a query not to return data.