Frequently asked questions

Welcome to the EDR Data Lake EAP (Early Access Program).

How do I learn more

  • In this forum you will find a number of documents, videos, queries and posts explaining the program and if you have any questions you can post the question or comment on the forum or email us directly at  We will be providing regular updates as the EAP progresses.

How do I join the EAP

  • To enroll in the EAP we will need to know the deployment region for your account. You can find this by opening up the central management console and hovering over the endpoint installer link
  • You can mail that information to along with your name and the company name and we will send you an activation code and instructions on how to enroll

What is included in the Early Access Program

  • At the start of the EAP we are confirming that information is being put into the data lake and that the API we are making available allow access to the data for query execution as the EAP matures we will be adding new user interface controls to query information in the data lake and to enable new features in Live Discover, those include scheduled reports that use a query, pivoting from a result to another query, enrichment of data from an external location, one-click actions and much more. We will be providing videos, web-casts and forum posts as those new features enter the EAP and will collect feedback before making them generally available.

What information is included in the data lake

  • The data lake consists of information collected from Intercept X EDR endpoints and servers as well as the Sophos XG FIrewall
  • The endpoint is filling the data lake by using Sophos managed queries that run on intervals
    • The queries do not extract ALL the available data from the endpoint only what is necessary for threat hunting and investigations, A full schema is available in the documents section.
  • If you have deployed the XG Firewall with Central Firewall Reporting enabled then all the information used for the firewall reports are included in the data lake.

How much information does each endpoint send to the data lake

  • This is very much dependent on the activity on the endpoint and the queries we are running to collect the information. A typical Windows endpoint will send about 14MB of data per day and a windows server will send about 40MB per day, but depending on what is running on those devices the amount of data can vary significantly.

Will all my endpoints be filling the data lake with information, can I select what devices will participate

  • Like other EAP's as the admin you can select what devices will have the EAP software and will participate in filling the data lake.  This is done from the early access program for the data lake under the manage option.

Can I test the data lake if I do not know how to use APIs, will sophos supply any test tools?

  • As part of the EAP we are posting a GIT project with a test tool that allows you to connect to the data lake and run queries.  It is intended to demonstrate how to use the API's but you can also use it to simply write, save and run queries against information in the data lake
  • The Test Tool can be downloaded from GitHub here (click the Code drop down and choose to 'Download ZIP) or the files section of the community forum: 

Will Sophos provide sample queries for me to use

  • We have published a query pack of about 80 queries here that you can use with the test tool or the API's to explore information in the data lake.