For anyone who's joined the EDR Data Lake Early Access Program, we've been providing instructions on the different steps to join and enroll devices but I thought it would be useful to have one full blog post covering those steps and also detailing how to acquire and use the test tool to query the Data Lake APIs so here you go.
Step 1: Joining the EAP and enrolling devices
The presentation here will then walk you through joining the EAP, and enrolling devices into the EAP.
A few things to note:
Once devices are enrolled into the EAP they will start sending data to the Sophos Data Lake. If you plan on searching the Data Lake using Sophos Central only (eg. you do not intend to query the Data Lake via APIs) you only need to complete this first step. Check out this video that walks through the Central enhancements which allow you to query the Data Lake using our Live Discover functionality.
If you would like to query the Sophos Data Lake using our APIs then continue to follow the steps below.
Step 2: Get your credentials for connecting to the API:
This step is in preparation of getting the test tool up and running. To run the test tool (or if you use some other method to connect to the APIs), you will need to a client ID and Client Secret. To obtain those details:
Step 3: Downloading, setting up the test tool and running queries
Select a Windows system managed by the Central account being used for the EAP. You can use this system to run the test tool and query the Data Lake. On this system you will need to install python 3.8 or above. You can download from here:
Important: During the Python install, choose the option to update the PATH value.
Note: At the end of the install there is also an option to override the initial PATH limit of 260 characters. It's been suggested that on a Window system that's been running for a while you may want to choose this option as well.
Once Python is installed the EDR Data Lake Test tool can be downloaded from GitHub here (click the Code dropdown and choose the option to 'Download ZIP':
At this point you are now able to run queries. They can be directly entered into the query text box in the tool, or use the file menu to 'Load Query' and then click Run Query to execute the query. Results should be seen in the Output text box.
A collection of about 80 queries can be found here in the Files section of the community. Just Download and extract the zip file.
Note: The command shell used to start the tool will remain open and will provide debug details on what is happening with the tool.
If you have any questions on these instructions or anything else or want to provide any feedback please use the Discussion section of this community here and we'll get back to you ASAP.