Enabling the Sophos Data Lake for Mac

ProductsIntercept XSophos XDR

Mac customers with Intercept X Advanced with XDR can query up to 30 days of data stored in the Sophos Data Lake.

On October 21, we plan to start to enable the Sophos Data Lake for all Mac customers with an Intercept X Advanced with XDR license that have enabled Endpoint Data Lake uploads. This means that Mac devices will store up to 30 days of data in the data lake which can be queried even if the device is currently offline.

Customers don’t need to take any action unless they wish to exclude devices from uploading to the data lake, or have previously excluded devices and now want them to upload to the data lake.

How to enable or disable Data Lake uploads:
In the Sophos Central console select ‘Global Settings’ then under Endpoint Protection select the ‘Data Lake uploads’ setting and turn on/off the ‘Upload to the Data Lake’ toggle. From the settings page you can also exclude specific devices from sending data to the Sophos Data Lake if you wish.

Joining the Detections and Investigations early access program
Customers that are uploading Mac data to the data lake can benefit from the new Detections dashboard that provides a prioritized list of suspicious items ranked on a 1-10 scale of risk. It makes it easy for admins to identify and focus on critical areas. Learn more about the early access program.