Sophos Live Discover provides capabilities for analysts to query data on both the endpoint as well as in the Sophos Data Lake. Queries can be run either ad-hoc or scheduled to run on intervals.
We are making updates that will affect some of the existing endpoint tables and endpoint queries in Live Discover. The changes will affect Linux endpoints running the 2024.3 version and later. Customers still running FTS 2024.2.1.8 and LTS 2024.1.0 can continue using legacy tables and Live Discover endpoint queries. Note, these changes only affect endpoint tables and queries and do not affect data lake tables and queries.
New Tables and Endpoint Queries
Users can query these tables on endpoints running version 2024.3 and later via Live Discover in Sophos Central.
- running_processes_linux_events_capnp
- user_events_linux_capnp
The following endpoint queries accessible in Live Discover utilize these endpoint tables.
- Process events
- Process events by username
- User Details (Linux)
- User events
- User events by username
Legacy Tables and Endpoint Queries
Note the following endpoint tables and queries will be retired on October 2025.
Users can continue to query these tables on endpoints running FTS 2024.2.1.8 and LTS 2024.1.0 via Live Discover in Sophos Central.
- process_events
- user_events
The following endpoint queries accessible in Live Discover are being introduced to continue supporting these legacy tables.
- Process events (Legacy)
- Process events by username (Legacy)
- User Details (Linux) (Legacy)
- User events (Legacy)
- User events by username (Legacy)
Endpoint Data Lake Schema includes details on the new tables and fields. Endpoint query updates will automatically be accessible within Live Discover.