Need help in building OS Query for Finding SHA1 andSHA256

Hi Jenil,

I suggest checking the following request we've received previously, as this should give you a good starting place to create this query. 
- Live Discover and Response Query Forum > Threat Hunting

Hey,

Thank you for sharing this. I'll give it a try and let you know.

I used the exact Query that RaviSoni had provided. Somehow I got the error saying column does not exist. The name of the column is sfj.pathname.

Can you please help?

Regards,

Jenil

Checking the following documentation, it looks like the "pathname" column has been depreciated. You can instead use "path"
- docs.sophos.com/.../index.html

Thakyou. That resolved the error. But now it shows no column named SophosPID.

Can you please help.

Out of interest, have you tried the new Search option under Threat Analysis Center, you can just search by a SHA256.

E.g.
sha256: 94f068bda39698e454f3cd8905be87d1c761ca55c4a5f7c59f71a55861ed0d9e



The schema is here https://docs.sophos.com/central/References/schemas/index.html?schema=ld_schema

Maybe try sophos_pid.