Sophos Endpoint

Discussions Need help in building OS Query for Finding SHA1 andSHA256

Sophos Endpoint requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 6 replies
Answers 1 answer
Subscribers 13 subscribers
Views 2101 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help in building OS Query for Finding SHA1 andSHA256

Jenil Sadrani 10 months ago

Hello All,

I have been trying to create custom queries in Sophos Central for finding IoCs (SHA1 and SHA256).

Can you please help me build query for the same?

Regards,

Jenil

This thread was automatically locked due to age.

Top Replies

Qoosh 10 months ago +1 suggested

Hi Jenil , I suggest checking the following request we've received previously, as this should give you a good starting place to create this query. - Live Discover and Response Query Forum > Threat H…

Parents

0 Qoosh 10 months ago

Hi Jenil,

I suggest checking the following request we've received previously, as this should give you a good starting place to create this query.
- Live Discover and Response Query Forum > Threat Hunting

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up +1 Vote Down

Cancel
0 Jenil Sadrani 10 months ago in reply to Qoosh

I used the exact Query that RaviSoni had provided. Somehow I got the error saying column does not exist. The name of the column is sfj.pathname.

Can you please help?

Regards,

Jenil
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jenil Sadrani 10 months ago in reply to Qoosh

I used the exact Query that RaviSoni had provided. Somehow I got the error saying column does not exist. The name of the column is sfj.pathname.

Can you please help?

Regards,

Jenil
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Qoosh 10 months ago in reply to Jenil Sadrani

Checking the following documentation, it looks like the "pathname" column has been depreciated. You can instead use "path"
- docs.sophos.com/.../index.html

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up +1 Vote Down

Cancel
0 Jenil Sadrani 10 months ago in reply to Qoosh

Thakyou. That resolved the error. But now it shows no column named SophosPID.

Can you please help.
Cancel
Vote Up 0 Vote Down

Cancel