Datalake upload exceeded 250MB/day on Exchange and Backup Servers - how to deal with?

Hi,

we noticed this on our Exchange and Backup Servers? This is happening every day.

By the nature of the applications, they are the most busy machines in our environment and have lot's of network connections, execute powershells all the time and so on.

The machines are important and prio 1 targets in case of an attack so we dont want to exclude anything - in other words, want full protection and the ability to query against datalake for any security breach if needed.

How can we deal with this?

Severity,When,Event,User,"User Groups",Device,"Device Group",IPAddress
Low,"2021-10-22T14:01:55+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-22T11:24:47+02:00","Data-Lake-Uploads resumed",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-22T02:01:20+02:00","Data-Lake-Uploads resumed",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-22T02:01:01+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-22T01:48:35+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-21T21:05:18+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-21T16:48:24+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-21T02:01:29+02:00","Data-Lake-Uploads resumed",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-21T02:01:20+02:00","Data-Lake-Uploads resumed",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-21T02:00:46+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-21T01:46:36+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-20T22:16:39+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-20T18:32:11+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-20T02:01:29+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-20T02:00:55+02:00","Data-Lake-Uploads resumed",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-20T02:00:50+02:00","Data-Lake-Uploads resumed",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-20T01:44:56+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-19T21:42:23+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-19T14:38:01+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-19T02:01:36+02:00","Data-Lake-Uploads resumed",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-19T02:01:18+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-19T02:00:40+02:00","Data-Lake-Uploads resumed",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-19T01:46:55+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-18T21:03:05+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-18T14:13:57+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,CAS-server," Mailservers Exchange ",xxx.xxx.xxx.209
Low,"2021-10-18T02:01:27+02:00","Data-Lake-Uploads resumed",n/a,,backupserver," Veeam Servers",xxx.xxx.xxx.225
Low,"2021-10-18T02:00:56+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-17T23:03:51+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-17T02:00:47+02:00","Data-Lake-Uploads resumed",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1
Low,"2021-10-16T22:13:02+02:00","Data-Lake-Uploads stopped, reached daily limit",n/a,,mailboxserver," Mailservers Exchange ",xxx.xxx.xxx.1

  • Hello LHerzog,

    Thank you for reaching out to the Sophos Community. 

    Regarding the Data Lake upload limits, it’s not possible to adjust or change the limits, as these are defined by the number and type of licenses you have. The overall limit for the month is accumulated together; however, one singular device can only upload a maximum of 250MB per day. 

    • The endpoint pool can have 20 MB per license per day (600 MB per license per month).
    • The server pool can have 40 MB per license per day (1200 MB per license per month).

    The points above are taken from the Data Lake storage limits document. 

    With a Sophos Central MTR license, the daily limit is increased from 250MB to 2GB. You can find further information here.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • thanks for your response - MTR is in our pipeline.

    But do you have any suggestion how to deal with this type of servers? I mean, there should be some known use cases at Sophos about recommended settings for mailservers and backup. or are your customers just excluding the machines from datalake?

    maybe it's possible to exclude some local processes from beeing logged into the upload data?

  • Hello LHerzog,

    At this time, it's not possible to adjust the default Data Lake hydration queries. The suggested way to address this is to determine which queries are uploading the largest amount of data. 

    We can then look at what is occurring on the device to see if anything is out of the ordinary or can be adjusted so that less data is generated for upload. This process is detailed further in the following KBA. 
    Troubleshoot Data Lake daily limit breaches

    I hope this helps, though if you do have any further questions, feel free to reach back out on this thread. 

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks again.

    I followed the KB and created the query. For a Veeam Backupserver we have this for last day (daily upload exceeed)

    Hostname.exe - OK??
              Note: This is called by a powershell script here, triggered by check_mk agent. The script runs every minute and queries the hostname to fill a variable.

    running_processes_windows_sophos

    and for the Exchange CAS most of the information is logon activity and threat_pass_the_hash whatever this is.
    High Logonactivity is quite normal for this type of server.

    What can I now do with this information? Create a support case or what do you suggest?

  • Hi ,

    I spoke to our internal team and they advise us to create a case for this to further see what we can do about it and came up with a workaround.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community