Data Lake upload schedule for endpoints

I think it depends on a couple of things:

1. The time it takes the events to be recorded and then flushed to the journal files to be interrogated if the data you expect is coming from a Sophos journal. 
I believe this is 5 minutes.

2. The data in the data lake you are attempting to query and what the source is.  If you look in the file:
C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf
you can see the queries and how they obtain the data and therefore where the data comes from, is it a Sophos extension or from the osquery data for example.

It also has the interval of the query in seconds.

I think it depends on a couple of things:

1. The time it takes the events to be recorded and then flushed to the journal files to be interrogated if the data you expect is coming from a Sophos journal. 
I believe this is 5 minutes.

2. The data in the data lake you are attempting to query and what the source is.  If you look in the file:
C:\ProgramData\Sophos\Live Query\Queries\Packs\Latest\sophos-scheduled-query-pack.conf
you can see the queries and how they obtain the data and therefore where the data comes from, is it a Sophos extension or from the osquery data for example.

It also has the interval of the query in seconds.

Muhammad,

  The XDR query pack logic is updated regularly behind the scenes and within the query packs, differing queries are staggered for upload to the data lake for hydration as mentioned by User930.  Keep in mind the info maintained here as well on data storage limits as well:

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DataLakeStorageLimits.html