diff --git a/src/hunt/modules.rs b/src/hunt/modules.rs
index d6e16d1..f205373 100644
--- a/src/hunt/modules.rs
+++ b/src/hunt/modules.rs
@@ -579,7 +579,7 @@ pub fn detect_sophos_detections(
     let threat_type;
 
     // Sophos puts the relevant data in a Vec. Here we locate it and extract the key fields
-    if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data.#text") {
+    if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data") {
         threat_type = match threat_data.to_vec().get(0) {
             Some(a) => a.clone(),
             None => return None,