Forum Discussion

JerrySmith_UAB's avatar
JerrySmith_UAB
Copper Contributor
Jul 25, 2022
Solved

Query for file hashes in MDE portal

Hello!

My organization is new to Microsoft Defender for Endpoints. I'd like to be able to threat hunt for IOC in the form of IPs, URL and naturally file hashes. Can someone direct me to the proper syntax for file hashes? For instance if I have a list of 30 MD5 hashes. Thank you.

I've googled and see some mentions but nothing that gets me all the way there.

microsoft defender for endpoint
threat hunting
  • MichaelJMelone's avatar
    MichaelJMelone
    Jul 26, 2022
    You have a couple of options here. If you wanted to keep it all in the query you can do this:
    let Hashes = pack_array('foo','bar','baz');
    DeviceFileEvents
    | where SHA256 in (Hashes)

    ...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:

    externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
    | join kind=rightsemi DeviceFileEvents on SHA256

4 Replies

  • Tiennes's avatar
    Tiennes
    Brass Contributor
    Jul 29, 2022

    Hi JerrySmith_UAB,

     

    In addition to actively hunting for a file hash, an IP address, or domain name yourself via Advanced Hunting (or via Sentinel), you also have the option of using the Indicators via Settings --> Endpoints --> Indicators.

     

    Here you can enter indicators such as a File hash, IP addresses, URLs/Domains, and certificates as IOCs. Indicators then use the Microsoft Defender for Endpoint sensors to actively search for these IOCs.

     

    For more information about managing indicators, see: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide

  • MichaelJMelone's avatar
    MichaelJMelone
    Icon for Microsoft rankMicrosoft
    Jul 26, 2022
    You have a couple of options here. If you wanted to keep it all in the query you can do this:
    let Hashes = pack_array('foo','bar','baz');
    DeviceFileEvents
    | where SHA256 in (Hashes)

    ...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:

    externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
    | join kind=rightsemi DeviceFileEvents on SHA256
    • JerrySmith_UAB's avatar
      JerrySmith_UAB
      Copper Contributor
      Jul 29, 2022
      In testing this, if I just run a get-filehash on a random text file this query should show that file right?

Resources