Sophos Datalake wrong timestamp with Windows Event

Hello Team,

Hope you are all doing fine,

Our customer in France is an active MDR customer and they are applying certification process and compliance internally.

Their goal is to use our datalake for storage capability for some Windows Event and track it if needed with the 90 days retention logs.

 One of the request they have is regarding User created account : Windows ID 4720 (https://support.sophos.com/support/s/article/KB-000045884?language=en_US)

 

On the Windows side here is what we observe : date and time is : 28/05/2024 14:50:35

 

On the Sophos Central , after custom query applied :

 

Here is the result : date and time : 28/05/2024 time : 13:02:53

 

 

We can see that there is a difference in time, and this is painful in case of forensics if we don’t have the same timestamp, question :

How do we get the same date and hour from Windows event to the Datalake ?

Is there a time gap between Windows and Datalake for all Windows Event ?

Thank you and feel free to reach if you need further information

 

Best,



Edit Tags
[edited by: GlennSen at 4:02 PM (GMT -7) on 1 Jul 2024]