Forum Discussion

JerrySmith_UAB's avatar
JerrySmith_UAB
Copper Contributor
Jul 25, 2022
Solved

Query for file hashes in MDE portal

Hello! My organization is new to Microsoft Defender for Endpoints. I'd like to be able to threat hunt for IOC in the form of IPs, URL and naturally file hashes. Can someone direct me to the proper s...
microsoft defender for endpoint
threat hunting
  • MichaelJMelone's avatar
    MichaelJMelone
    Jul 26, 2022
    You have a couple of options here. If you wanted to keep it all in the query you can do this:
    let Hashes = pack_array('foo','bar','baz');
    DeviceFileEvents
    | where SHA256 in (Hashes)

    ...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:

    externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
    | join kind=rightsemi DeviceFileEvents on SHA256
Tiennes's avatar
Tiennes
Brass Contributor
Jul 29, 2022

Hi JerrySmith_UAB,

 

In addition to actively hunting for a file hash, an IP address, or domain name yourself via Advanced Hunting (or via Sentinel), you also have the option of using the Indicators via Settings --> Endpoints --> Indicators.

 

Here you can enter indicators such as a File hash, IP addresses, URLs/Domains, and certificates as IOCs. Indicators then use the Microsoft Defender for Endpoint sensors to actively search for these IOCs.

 

For more information about managing indicators, see: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide

Resources