Browse Live Discover and Response Queries by Category
Under Review

Sophos Central Live Discover "User account locked out" query missing timestamps

"User account locked out (Data Lake)" query in Live Discover is missing timestamps for the individual events in the report. How can we get the time stamps?

Knowing the event happened but not knowing when significantly hampers the investigation. 

Is there a way to pivot to the event details including time stamp? 

Sophos User2229
Parents
  • You could always edit the query and add some additional fields.  E.g. 
    SELECT
    meta_hostname AS ep_name,
    eventid,
    query_name,
    host_identifier,
    calendar_time,
    unix_time,
    epoch,
    meta_ip_address,
    meta_os_name,
    meta_mac_address,
    meta_public_ip,
    ingestion_timestamp,
    endpoint_id,
    upload_size,
    meta_domain_controller,
    customer_id,
    stream_ingest_date,
    subject_username,
    subject_domain,
    target_username,
    target_domain,
    description,
    provider_name,
    source
FROM xdr_data
WHERE query_name = 'windows_event_user_account_locked_out'
Comment
  • You could always edit the query and add some additional fields.  E.g. 
    SELECT
    meta_hostname AS ep_name,
    eventid,
    query_name,
    host_identifier,
    calendar_time,
    unix_time,
    epoch,
    meta_ip_address,
    meta_os_name,
    meta_mac_address,
    meta_public_ip,
    ingestion_timestamp,
    endpoint_id,
    upload_size,
    meta_domain_controller,
    customer_id,
    stream_ingest_date,
    subject_username,
    subject_domain,
    target_username,
    target_domain,
    description,
    provider_name,
    source
FROM xdr_data
WHERE query_name = 'windows_event_user_account_locked_out'
Children
No Data
Unfiltered HTML