When deployed with the Endpoint software the EDR Data lake will be filled with the results of scheduled queries that are managed by sophos. Each query results in a data set that is available in the data lake. To access the information from a specific scheduled query you will need to specify the query_name.
This query lists each of the scheduled queries that have been used to fill the data lake. Note in many deployments the number of tables with information will vary. It all depends on if the query has any results yet from the devices. If not data has been returned from a scheduled query then this data lake query will not show the query_name.
-- LIST ALL TABLES SELECT DISTINCT query_name, COUNT(endpoint_id) Entries FROM xdr_data GROUP BY query_name ORDER BY query_name ASC
Sample results
+----------------------------------+-----------+ | query_name | Entries | |----------------------------------+-----------| | arp_cache | 191 | | changed_files_windows_sophos | 769 | | chrome_extensions | 78 | | ie_extensions | 63 | | listening_ports | 930 | | network_interfaces | 106 | | open_sockets | 76949 | | running_processes_windows_sophos | 55064 | | sophos_ips_windows | 124589 | | sophos_urls_windows | 9257 | | user_accounts | 106 | | vulnerability_dep | 14 | | vulnerability_disallowed_paths | 954 | | vulnerability_uac_disabled | 3 | | vulnerability_unrestricted_paths | 934 | | windows_event_successful_logon | 2441 | | windows_powershell_script_blocks | 64 | | windows_programs | 1814 | | windows_startup_items | 1826 | | windows_startup_programs_md5 | 110 | | windows_updates_patch | 744 | +----------------------------------+-----------+
