KB article: Confirm what events aren't listed in the Endpoint log
Sophos Technical Support have confirmed that it is expected behaviour for the Endpoint Events log to display an incomplete list, as compared to that available in Sophos Central Admin console reports by Device.
For instance, it appears that ‘Application [X] was blocked by an endpoint firewall’ does not display in the endpoint client events. Nor does 'Update succeeded', or 'Real time protection disabled/re-enabled', etc.
However Sophos Technical Support cannot confirm what events are not shown to the user via the Endpoint Events log, and could only recommend creating a feature request for creation of a knowledge base article to explain.