Skip to content

Sophos XDR Integration

You can use Sophos Cloud Optix data with Live Discover in Sophos Central.

Sophos can upload activity logs, for example AWS CloudTrail logs, from Sophos Cloud Optix to the Sophos Data Lake. In Sophos Central, you can then run Live Discover queries in the Threat Analysis Center to detect suspicious activity in your cloud environments.

To use Sophos Cloud Optix data in Sophos XDR, you need a Sophos Cloud Optix Advanced license in Sophos Central. You also need an Intercept X license that includes Sophos XDR.

You need to turn on Data Lake uploads in Sophos Cloud Optix advanced settings. You must be a Super Admin Sophos Cloud Optix Advanced to do this. You can upload activity log data for specific cloud environments in Sophos Cloud Optix or all your environments.

We provide a set of pre-prepared Sophos Cloud Optix queries in Live Discover in the Threat Analysis Center. You can run these queries, edit them, or create your own. See Live Discover.

Data Lake storage limits

Your Data Lake storage limit for Sophos Cloud Optix data is set by the number of cloud assets you've licensed.

Data is stored in the Data Lake for 30 days, or until you reach your limit, whichever comes first.

If you exceed a storage limit, we remove the oldest data until your data is under the limit.

Environment Access Controls

Environment Access Control settings in Sophos Cloud Optix aren't recognized in Sophos XDR. You can use Environment Access Controls to restrict an admin's access to specific environments in Sophos Cloud Optix. However if they have permission to use Sophos XDR, they can query data for other environments using Live Discover.

If you use Environment Access Controls in Sophos Cloud Optix, you must take this into consideration when choosing the environments that upload data to the Data Lake.