Today we will start uploading data from Intercept X Advanced XDR Mac devices to the Sophos Data Lake where Endpoint Data Lake uploads have been enabled. The plan is to slowly enable across our customer base doing 30% of accounts today, assuming all goes well another 30% on October 26 and then the final 40% of customers on October 28th.
Customers don’t need to take any action and devices will automatically start uploading data to the Data Lake once their account is enabled and as long as Endpoint Data Lake uploads have been enabled.
Enable Endpoint Data Lake Uploads:
In your Sophos Central console select ‘Global Settings’ then under Endpoint select the ‘Data Lake uploads’ setting and turn on the 'Upload to the Data Lake' toggle. Once enabled we will perform scheduled hydration queries on for your devices which capture interesting threat hunting related data and send it to the Data Lake. From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.
For accounts that are enrolled in the Detection and Investigation early access program they should also start seeing Mac based detection in the Detections dashboard once their uploads are enabled. See this blog post for more details on the Detection and Investigation EAP and how to join.