Query Details
IA Threat Intelligence Feed Evaluation Based On File Hashes IO Cs
Query
**[IA] - Threat Intelligence Feed Evaluation based on FileHashes IOCs** | Technique ID | Title | | --- | --- | | T1566.001 |Spearphishing Attachment | | Author | Sergio Albea (12/01/2026) | | --- | --- | TIFCE (Threat Intelligence Feed Content Evaluation) is a simple way to measure if a TI feed is actually useful based on four things â uniqueness, real matches, confirmed maliciousness, and activity. đ¨ TIFCE allows using one detection per IOC type (URLs, domains, file hashes) instead of dozens of rules per feed, keeping detections clean, centralized, and easy to maintain. In addition, if you rely on threat intelligence for detection, it can be a good solution to how to evaluate current or new TI feeds. ``` //Sergio Albea 12-01-2026 TIFCE https://zenodo.org/records/18208974 //TI Feeds Repositories let MispHashes = externaldata(HashValue: string)['https://bazaar.abuse.ch/export/txt/sha256/recent/']with (format = 'csv',ignoreFirstRecord = true) | where HashValue !startswith '#' | project TIFeed= 'bazaar.abuse.ch',IOC= HashValue,Reference = 'https://bazaar.abuse.ch/export/txt/sha256/recent/'; let botvrij = externaldata(HashValue: string)['https://www.botvrij.eu/data/ioclist.sha256']with (format = 'csv',ignoreFirstRecord = true) | where HashValue !startswith '#' | extend Parts = split(HashValue, " ") | extend SHA256 = tostring(Parts[0])| project TIFeed= 'botvrij',IOC= SHA256,Reference = 'https://www.botvrij.eu/data/ioclist.sha256'; let FH_TweetFeedYear =externaldata(DateUTC: datetime,SourceUser: string,Type: string,Value: string,Tags: string,Tweet: string)['https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv']with (format='csv') | where Type has 'sha256' | project TIFeed= 'FH_TweetFeedYear',IOC= Value, Reference ='https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv'; //unify TIFeeds IOC List let FH_IOCs = union MispHashes,botvrij,FH_TweetFeedYear; //âšī¸ Remove the comments of the 2 following lines to get a summary of the IOCs present on distinct TI Feeds // FH_IOCs | summarize dcount(TIFeed),make_set(TIFeed) by IOC | order by dcount_TIFeed // EmailAttachmentInfo | join kind=inner (FH_IOCs) on $left.SHA256 == $right.IOC | join kind=inner (EmailEvents) on NetworkMessageId ```
Explanation
This query is designed to evaluate the usefulness of threat intelligence feeds by focusing on file hashes (specifically SHA256 hashes). Here's a simplified breakdown of what the query does:
-
Data Sources: It pulls data from three different threat intelligence feeds:
- bazaar.abuse.ch: A feed providing recent SHA256 hashes of potentially malicious files.
- botvrij: Another feed listing SHA256 hashes of files, split and formatted for processing.
- FH_TweetFeedYear: A feed that collects SHA256 hashes from tweets over the past year.
-
Data Unification: The query combines the data from these three feeds into a single list of Indicators of Compromise (IOCs), specifically focusing on SHA256 file hashes.
-
Evaluation: The query then matches these IOCs against email attachment information and email events to identify any overlaps. This helps in determining if the file hashes from the threat intelligence feeds are present in the organization's email data, indicating potential threats.
-
Purpose: The overall goal is to assess the effectiveness of the threat intelligence feeds by checking for:
- Uniqueness: How unique the IOCs are across different feeds.
- Real Matches: Whether these IOCs actually appear in the organization's data.
- Confirmed Maliciousness: If these matches are confirmed to be malicious.
- Activity: The level of activity or presence of these IOCs in the data.
By doing this, the query helps in maintaining a clean, centralized, and easy-to-manage detection system, ensuring that the threat intelligence feeds being used are valuable and effective.
Details
Sergio Albea
Released: January 17, 2026
Tables
Keywords
Operators