From c553d5ebdf782e7fee4818ca2def4fa1fca83601 Mon Sep 17 00:00:00 2001
From: dorgja <james.dorgan@f-secure.com>
Date: Fri, 7 Jan 2022 14:19:56 +0000
Subject: [PATCH] fixing sophos detections

---
 src/hunt/modules.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hunt/modules.rs b/src/hunt/modules.rs
index d6e16d1..f205373 100644
--- a/src/hunt/modules.rs
+++ b/src/hunt/modules.rs
@@ -579,7 +579,7 @@ pub fn detect_sophos_detections(
     let threat_type;
 
     // Sophos puts the relevant data in a Vec. Here we locate it and extract the key fields
-    if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data.#text") {
+    if let Some(threat_data) = ajson::get(&event.to_string(), "Event.EventData.Data") {
         threat_type = match threat_data.to_vec().get(0) {
             Some(a) => a.clone(),
             None => return None,