I am running a number of scans including but not limited to "Unsigned applications that were run" which I believe I got from this site. I find the results to be extremely "busy" with so many pages it is almost unusable (155). I am looking to filter out specific hashes that have been investigated and are considered "safe" hopefully in a list format that can be added to the existing query like
exclude - 7e612ac5cadbf4c1b91f27fa1efd6a781f20a729620537f4756724d27943a2b1
exclude - dc4335464ac739d5ba664dc1c6690938b4d657f62846735aa9ee764747e4f626
The query I am running is
CAST(datetime(spj.time,'unixepoch') AS TEXT) processExecutionTime,
FROM sophos_process_journal spj
LEFT JOIN users u
ON spj.sid = u.uuid
LEFT JOIN sophos_file_properties sfp
ON sfp.sha256 = (CASE
WHEN spj.sha256 IS NULL OR spj.sha256 = ''
WHERE spj.eventType = 0
AND sfp.localRepData != ''
AND json_extract(sfp.localRepData, '$.reputationData.isSigned') = 0
AND spj.time >= CAST(STRFTIME('%s','NOW','-24 HOURS') AS INT)
Please understand that I am not a programmer or very familiar with SQL queries so reply as if to a dummy. I realize that I can reduce the time period, but don't want to. I see this functionality as being useful in a number of scans as you build and check your networks baseline