This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Live Discover for Parent_Sophos_PID without result - how can that be?

Im trying to get the root process for an event on a client currently offline. Using Data Lake query.

However, the Parent PID Search gives no results.The Event is 14 days old. I thought the Sophos PID is THE idicator of something in the Data Lake - how can it be missing?

In an other case, if I search for the Process Path I was looking fore above and select

Network activity of a process with a specific path (Data Lake)

I get a weird error message:

Invalid operation due to 'Query failed (#20211102_160842_00203_c2dxd): Loaded block positions count (945) doesn't match lazy block positions count (1024)'

I'd like to use this feature but I stumble across missing data much too often.



This thread was automatically locked due to age.
Parents
  • On the first topic.  Not finding a parent sophos pid in the data lake.

    A SophosPID or ParentSophosPID consists of two fields the PID followed by a : then the MS Timestamp.  That MS Time stamp (132714108461097633) converts to Thursday, July 22, 2021 7:00:46am  and as the data lake only stores 30 days of data it would have rolled out of the data lake by now. Hence not found.  The data may still reside on the endpoint journals as they typically hold about 90 days of activity.  You can try the live discover query for that info.

    Also if you run the same query with the SophosPID instead of the ParentSophosPID you should get the name and path of the parent process in the results

    On the 2nd topic: Invalid operation due to query failed.  Looks like some other error. is the error code consistent?

  • Hi Karl,

    do you have a converter for the PID Timestamp? I tried some online tools for Millisecond convertation and they all cannot handle the value 132714108461097633

  • Sure,  A free timestamp converter is here. https://www.silisoftware.com/tools/date.php   That is showing a FileTime.  and in human readable it is July 22 7AM.  You can also use this formula as a data lake query.

    SELECT
       $$Filesystem time$$ Filesystem_Time,
       CASE LENGTH( '$$Filesystem time$$') 
          WHEN 18 THEN CAST($$Filesystem time$$ / 10000000 - 11644473600 AS VARCHAR)
          ELSE 'Not valid filesSystem Time'
       END UnixEpoch,
       CASE LENGTH( '$$Filesystem time$$')
          WHEN 18 THEN CAST(FROM_UNIXTIME($$Filesystem time$$ / 10000000 - 11644473600) AS VARCHAR)
          ELSE ''
       END Date_Time

Reply
  • Sure,  A free timestamp converter is here. https://www.silisoftware.com/tools/date.php   That is showing a FileTime.  and in human readable it is July 22 7AM.  You can also use this formula as a data lake query.

    SELECT
       $$Filesystem time$$ Filesystem_Time,
       CASE LENGTH( '$$Filesystem time$$') 
          WHEN 18 THEN CAST($$Filesystem time$$ / 10000000 - 11644473600 AS VARCHAR)
          ELSE 'Not valid filesSystem Time'
       END UnixEpoch,
       CASE LENGTH( '$$Filesystem time$$')
          WHEN 18 THEN CAST(FROM_UNIXTIME($$Filesystem time$$ / 10000000 - 11644473600) AS VARCHAR)
          ELSE ''
       END Date_Time

Children