The Sophos Central Data Lake lets customers search security and compliance data that devices upload to the cloud. We are updating the Data Lake schema to capture new event types and remove older event types.
Please note that these changes only apply to customers with a Managed Detection and Response (MDR) license.
New Event Types
Devices will upload new event types to the Data Lake. Customers can query these from the Live Discover section of Sophos Central. The following event types are being added:
- URL_activity – this captures URL events from an endpoint, and replaces the existing ‘sophos_urls_windows’ event type
- Authentication_activity – a new event type that captures account authentication events from different ETW (Event Tracing for Windows) sources
- Scheduled_task_activity – a new event type that captures events triggered by changes to scheduled tasks
- Account_activity – a new event type that captures user account events from different ETW (Event Tracing for Windows) sources
- Service_activity – a new event type that captures events triggered by changes through the Service Control Manager (SCM)
Please see the Endpoint Data Lake Schema for more details on the new event types and fields. These updates are being released in a phased rollout and will be available to all MDR customers by mid-September.
Retired Event Types
The ‘sophos_urls_windows’ event type will be retired in October 2024. URL information will instead be recorded in the ‘URL_activity’ event type. Customers that have created custom Live Discover queries that access these events should update their queries to use the new URL_activity event type.
The ‘changed_files_windows_sophos’ event type will also be retired in October 2024 due to low usage.
Sophos created Live Discover Data Lake queries have already been updated to reflect the new event types and will continue to run successfully.