Browse Live Discover and Response Queries by Category
Under Review

Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation. 

Is there a way to pivot to the event details including time stamp? 

Sophos User2229
  • calendar_time is the field which returns the event's timestamp.
  • I was able to generate some data to test with and found that SophosUser930's suggestion will work. The field you are concerned with would be "calendar_time", though you may want to remove some of the other fields if you don't deem them necessary.
  • Thank you Kushal. Probing the online devices directly is an option if you look into the event in relatively short time period (hours or days) as they Security log on the endpoints normally doesn't hold the event longer. This is one of the reasons for using Data Lake but the Data Lake unfortunately doesn't have this information. Thank you for your assistance but we will not continue on this topic anymore.
  • I will generate some audited account lockout events in my lab environment to test further. In the interim, you can also use the following Live Discover Query to query your online devices directly. This may work as an alternative. 
    SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
FROM sophos_windows_events
WHERE eventid
IN ('4740')
  • Hello Kushal, Fields time and datetime added to the query (one at a time). The field "datetime" returns "Column 'datetime' cannot be resolved'". The field "time" returns no data (the field is blank for all events). Thank you for your assistance but we don't want to continue on this topic anymore.  
  • Navigating to the "sophos_windows_events" Table of the docs.sophos.com/.../index.html and expanding "Fields", shows that a couple of options are available to display the time. Could you elaborate on what sort of errors you're getting when adding a line for either "time" or "datetime"? 
  • Thank you User930, but there is no additional time related field in this schema (per Sophos technical support). They advised me to go to Sophos community (here) to present the question as Sophos technical support doesn't provide support for the queries (Live Discover).
  • You could always edit the query and add some additional fields.  E.g. 
    SELECT
    meta_hostname AS ep_name,
    eventid,
    query_name,
    host_identifier,
    calendar_time,
    unix_time,
    epoch,
    meta_ip_address,
    meta_os_name,
    meta_mac_address,
    meta_public_ip,
    ingestion_timestamp,
    endpoint_id,
    upload_size,
    meta_domain_controller,
    customer_id,
    stream_ingest_date,
    subject_username,
    subject_domain,
    target_username,
    target_domain,
    description,
    provider_name,
    source
FROM xdr_data
WHERE query_name = 'windows_event_user_account_locked_out'
Unfiltered HTML