Under Review

Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation. 

Is there a way to pivot to the event details including time stamp? 

Parents
  • I will generate some audited account lockout events in my lab environment to test further. In the interim, you can also use the following Live Discover Query to query your online devices directly. This may work as an alternative.
    SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
    provider_name, eventid, task_message, data
    FROM sophos_windows_events
    WHERE eventid
    IN ('4740')
Comment
  • I will generate some audited account lockout events in my lab environment to test further. In the interim, you can also use the following Live Discover Query to query your online devices directly. This may work as an alternative.
    SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
    provider_name, eventid, task_message, data
    FROM sophos_windows_events
    WHERE eventid
    IN ('4740')
Children
No Data