Hello, we would like to have a query to search specific events on Windows from EventID variable. Thanks in advance
Thanks for reaching out to the Sophos Community Forum.
You can use the following query to do this. You can fill in additional or fewer event IDs where "EventID" is referenced.
SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
IN ('EventID', 'EventID')