Under Review

Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation. 

Is there a way to pivot to the event details including time stamp? 

Parents
  • Thank you Kushal. Probing the online devices directly is an option if you look into the event in relatively short time period (hours or days) as they Security log on the endpoints normally doesn't hold the event longer. This is one of the reasons for using Data Lake but the Data Lake unfortunately doesn't have this information. Thank you for your assistance but we will not continue on this topic anymore.
Comment
  • Thank you Kushal. Probing the online devices directly is an option if you look into the event in relatively short time period (hours or days) as they Security log on the endpoints normally doesn't hold the event longer. This is one of the reasons for using Data Lake but the Data Lake unfortunately doesn't have this information. Thank you for your assistance but we will not continue on this topic anymore.
Children
No Data