If you comb through the duplicates in your events (using the command I used to check for dupes in Splunk) you will see quite a few events are duplicated at least 11 times (at least in my case). This massive number of duplicates spamming the logs, coupled with the 1000 Event limit per API retrieval, means that it is almost certain that you will fall behind in getting your newest events. I am still waiting on Sophos Support to get this resolved. I would encourage you to put in your own ticket to encourage Sophos to get this resolved.
... View more