It may be valuable to view the parsed logs from your Sophos Network Threat Protection engine. Here you can see the time stamps, PID, program and URL accessed.
--Declare YYYY-MM-DD as a string variable WITH sntp_table AS (SELECT * FROM grep WHERE path = 'C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log' AND pattern = '$$YYYY-MM-DD$$'), Local_sntp AS (SELECT SPLIT(line, ' ', 0) A, SPLIT(line, ' ',1) Date_Time, SPLIT(line, ' ',2) PID, SPLIT(line, ' ',3) Dash, SPLIT(line, ' ',4) Process, SPLIT(line, ' ',5) Path, SPLIT(line, ' ',6) Accessed, SPLIT(line, ' ',7) Address FROM sntp_table) SELECT (REPLACE(REPLACE(A,'T',' '),'Z',' ')) AS Date_Time, REPLACE(PID,']', '') "pid:SophosPID", Process || ' ' || Path AS Program, Accessed || ' ' || Address AS URL FROM local_sntp
