Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 1609 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live Discover for Parent_Sophos_PID without result - how can that be?

LHerzog

Im trying to get the root process for an event on a client currently offline. Using Data Lake query.

However, the Parent PID Search gives no results.The Event is 14 days old. I thought the Sophos PID is THE idicator of something in the Data Lake - how can it be missing?

In an other case, if I search for the Process Path I was looking fore above and select

Network activity of a process with a specific path (Data Lake)

I get a weird error message:

Invalid operation due to 'Query failed (#20211102_160842_00203_c2dxd): Loaded block positions count (945) doesn't match lazy block positions count (1024)'

I'd like to use this feature but I stumble across missing data much too often.



This thread was automatically locked due to age.
Parents
  • +1

    On the first topic.  Not finding a parent sophos pid in the data lake.

    A SophosPID or ParentSophosPID consists of two fields the PID followed by a : then the MS Timestamp.  That MS Time stamp (132714108461097633) converts to Thursday, July 22, 2021 7:00:46am  and as the data lake only stores 30 days of data it would have rolled out of the data lake by now. Hence not found.  The data may still reside on the endpoint journals as they typically hold about 90 days of activity.  You can try the live discover query for that info.

    Also if you run the same query with the SophosPID instead of the ParentSophosPID you should get the name and path of the parent process in the results

    On the 2nd topic: Invalid operation due to query failed.  Looks like some other error. is the error code consistent?

Reply
  • +1

    On the first topic.  Not finding a parent sophos pid in the data lake.

    A SophosPID or ParentSophosPID consists of two fields the PID followed by a : then the MS Timestamp.  That MS Time stamp (132714108461097633) converts to Thursday, July 22, 2021 7:00:46am  and as the data lake only stores 30 days of data it would have rolled out of the data lake by now. Hence not found.  The data may still reside on the endpoint journals as they typically hold about 90 days of activity.  You can try the live discover query for that info.

    Also if you run the same query with the SophosPID instead of the ParentSophosPID you should get the name and path of the parent process in the results

    On the 2nd topic: Invalid operation due to query failed.  Looks like some other error. is the error code consistent?

Children
Unfiltered HTML