SOLVED

Query for file hashes in MDE portal

Copper Contributor

Hello!

My organization is new to Microsoft Defender for Endpoints. I'd like to be able to threat hunt for IOC in the form of IPs, URL and naturally file hashes. Can someone direct me to the proper syntax for file hashes? For instance if I have a list of 30 MD5 hashes. Thank you.

I've googled and see some mentions but nothing that gets me all the way there.

4 Replies
best response confirmed by JerrySmith_UAB (Copper Contributor)
Solution
You have a couple of options here. If you wanted to keep it all in the query you can do this:
let Hashes = pack_array('foo','bar','baz');
DeviceFileEvents
| where SHA256 in (Hashes)

...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:

externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
| join kind=rightsemi DeviceFileEvents on SHA256
Thank you, I'll give this a shot.

Hi @JerrySmith_UAB,

 

In addition to actively hunting for a file hash, an IP address, or domain name yourself via Advanced Hunting (or via Sentinel), you also have the option of using the Indicators via Settings --> Endpoints --> Indicators.

 

Here you can enter indicators such as a File hash, IP addresses, URLs/Domains, and certificates as IOCs. Indicators then use the Microsoft Defender for Endpoint sensors to actively search for these IOCs.

 

For more information about managing indicators, see: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage?view=o365...

In testing this, if I just run a get-filehash on a random text file this query should show that file right?
1 best response

Accepted Solutions
best response confirmed by JerrySmith_UAB (Copper Contributor)
Solution
You have a couple of options here. If you wanted to keep it all in the query you can do this:
let Hashes = pack_array('foo','bar','baz');
DeviceFileEvents
| where SHA256 in (Hashes)

...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:

externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
| join kind=rightsemi DeviceFileEvents on SHA256

View solution in original post