KQL Search

Query Details

HomeAI ToolsDevice Query

ROSTI Repackaged Open Source Intelligence MDE File Events IOC Hits

Query

//Looks for SHA256 hits from the ROSTI Feed
//Source: https://rosti.bin.re/feeds
let RostiBinIOCs = externaldata(UniqName: string, Value: string)[@"https://sduixpgwciwivgpuisyf.supabase.co/storage/v1/object/public/bulk-exports/checkpoint-sha256.txt"] with (format="csv", ignoreFirstRecord=True);
let SHA256List = RostiBinIOCs
| project Value;
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where SHA256 in(SHA256List) 
| extend VT_domain = iff(isnotempty(SHA256),strcat(@"https://www.virustotal.com/gui/file/",SHA256),SHA256)
| summarize count() by SHA256, VT_domain,DeviceName
| where SHA256 <> "bf861f5bd384707e23148716240822208ceeba50c132fb172b784a6575e5e555" //OneDrive Updater FalsePositive
| where SHA256 <> "6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728" //Cisco Collab FP

Explanation

This KQL (Kusto Query Language) query is designed to identify and count specific file events on devices based on SHA256 hash values from an external threat intelligence feed called ROSTI. Here's a simplified breakdown of what the query does:

  1. Import External Data: It retrieves a list of SHA256 hash values from an external CSV file hosted on a specified URL. This file is part of the ROSTI threat intelligence feed.

  2. Filter Device File Events: It looks at device file events that have occurred in the last 90 days.

  3. Match SHA256 Hashes: It checks if the SHA256 hash of each file event matches any of the hashes from the ROSTI feed.

  4. Generate VirusTotal Links: For each matching SHA256 hash, it creates a link to the VirusTotal website, which can provide more information about the file.

  5. Summarize Results: It counts the number of occurrences of each SHA256 hash and groups the results by the hash value, the VirusTotal link, and the device name where the event occurred.

  6. Exclude False Positives: It excludes two specific SHA256 hashes known to be false positives (related to OneDrive Updater and Cisco Collab) from the results.

Overall, the query helps identify potentially malicious files on devices by cross-referencing them with known threat intelligence data, while filtering out known false positives.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 1, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

letexternaldatawithprojectwhereinextendiffisnotemptystrcatsummarizeby<>

Actions