Scheduled queries

You can schedule Live Discover queries to run regularly at set times.

Restriction Scheduling is only available for Data Lake queries.

Schedule a query

You can schedule a query as follows:
  1. Go to Overview > Threat Analysis Center and click Live Discover.
    Live Discover menu
  2. In Live Discover, click the arrow to expand Query.
    Live Discover page
  3. Click Data Lake Queries and select the category that you want to use, for example Files. This shows you a list of the queries in that category.
    Data Lake query categories
  4. Click the query you want to schedule, for example "Changed Windows files".
    List of queries
  5. At the bottom of the Live Discover page, click Schedule Query.
    Schedule Query button
  6. In the Schedule Query dialog, select the frequency, the day of the month and the end date.

    If you don't want to set an end date, select Until I cancel.

    The bar graph in the upper right shows how many more scheduled queries or reports you can create. Each admin can only have a hundred altogether for Sophos products that share this report format.

    Scheduled query settings
  7. Click Create Scheduled Query.
  8. To see the new query, go to Live Discover > Scheduled Queries.

    You can click a query to see its results or to edit its settings.

    You can have up to a hundred "Actively Scheduled" queries. These are queries that are enabled to run (the default setting).

    Scheduled queries list

Get scheduled query results

To view the results of your scheduled queries, do as follows:

  1. Go to Overview > Threat Analysis Center > Live Discover > Scheduled Queries
    Scheduled queries menu
  2. Click the Results tab.
    Scheduled queries results list
  3. A list shows each occasion when the query has run. Find the one you want and click View Results.

    You see the full query details and results.

    Scheduled queries results
Tip To see recent results quickly, go to the Threat Analysis Center > Dashboard, look for Recently scheduled queries, and click the one you want.

Edit scheduled queries

To edit scheduled queries, do as follows:

  1. Go to Overview > Threat Analysis Center > Live Discover > Scheduled Queries
    A list shows all the scheduled queries for your account.
  2. Find the query you want. Under Actions, click the Edit icon.
    Edit icon
  3. On the query's details page, you can do as follows:
    • On the Query tab, edit the query name and description.
    • On the Schedule tab, turn the schedule on or off, or edit the schedule frequency and times.
    Scheduled query details page
  4. Click Update Scheduled Query to save your changes.

Delete scheduled queries

To delete scheduled queries, do as follows:

  1. Go to Overview > Threat Analysis Center > Live Discover > Scheduled Queries
    A list shows all the scheduled queries for your account.
  2. Select a query or queries.
  3. In the upper right of the page, click Delete.
    Delete button