There appears to be a delay between when an event happens on a server or endpoint and when I can run a live discover query on that data in the data lake. How long does it take for the Sophos agent to synchronize or upload it's data to the data lake?
Maybe this file helps:C:\ProgramData\Sophos\Live Query\Config\sophos.osquery.conf.d\sophos-scheduled-query-pack.conf
Each different element in the query pack has its own schedule. They are bundled together and uploaded at a regular interval - I will double check the exact interval.
However, there is also a local daily limit to the total amount of data an endpoint can upload - if it exceeds that limit it will throttle and not send anything further until the next day.
RichardP
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.