Under Review

Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation. 

Is there a way to pivot to the event details including time stamp? 

Parents
  • I was able to generate some data to test with and found that SophosUser930's suggestion will work. The field you are concerned with would be "calendar_time", though you may want to remove some of the other fields if you don't deem them necessary.
Comment
  • I was able to generate some data to test with and found that SophosUser930's suggestion will work. The field you are concerned with would be "calendar_time", though you may want to remove some of the other fields if you don't deem them necessary.
Children
No Data