Query Details
TI Feed 2022 Talos Emotet SHA256
Query
# Emotet SHA256 IOC Feed #### Source: Talos Intelligence #### Feed information: https://blog.talosintelligence.com/emotet-coming-in-hot/ #### Feed link: https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_parents.txt ### Defender For Endpoint ``` let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True); DeviceFileEvents | where SHA256 in (Emotetsha256) | project Timestamp, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ``` ### Sentinel ``` let Emotetsha256 = externaldata(sha256: string)[@"https://githubraw.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt"] with (format="txt", ignoreFirstRecord=True); DeviceFileEvents | where SHA256 in (Emotetsha256) | project TimeGenerated, FileName, SHA256, DeviceName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName ```
Explanation
The query retrieves a list of SHA256 hashes from a specific URL and uses them to filter file events. It returns specific information about the events, such as the timestamp, file name, SHA256 hash, device name, and details about the initiating process. This query can be used in both Defender for Endpoint and Sentinel.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceFileEvents
Keywords
Devices,Intune,User
Operators
externaldatawithformatignoreFirstRecordDeviceFileEventswhereinprojectTimestampFileNameSHA256DeviceNameInitiatingProcessCommandLineInitiatingProcessFileNameInitiatingProcessAccountDomainInitiatingProcessAccountNameTimeGenerated