Forum Discussion
Query for file hashes in MDE portal
Hello! My organization is new to Microsoft Defender for Endpoints. I'd like to be able to threat hunt for IOC in the form of IPs, URL and naturally file hashes. Can someone direct me to the proper s...
- You have a couple of options here. If you wanted to keep it all in the query you can do this:
let Hashes = pack_array('foo','bar','baz');
DeviceFileEvents
| where SHA256 in (Hashes)
...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:
externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
| join kind=rightsemi DeviceFileEvents on SHA256
MichaelJMelone
Microsoft
MicrosoftYou have a couple of options here. If you wanted to keep it all in the query you can do this:
let Hashes = pack_array('foo','bar','baz');
DeviceFileEvents
| where SHA256 in (Hashes)
...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:
externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
| join kind=rightsemi DeviceFileEvents on SHA256
let Hashes = pack_array('foo','bar','baz');
DeviceFileEvents
| where SHA256 in (Hashes)
...or you could upload a text file containing the hashes to blob storage and use a SAS URL like this:
externaldata (SHA256:string)['https://some.blob.core.windows.net/files/myhashfile.txt?SasTokenHere']
| join kind=rightsemi DeviceFileEvents on SHA256
In testing this, if I just run a get-filehash on a random text file this query should show that file right?
