Hunt for malicious files that have been identified by CERT-FR
TI Feed CERT FR MISP Feed
Query
let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join kind=inner CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder Timestamp, SHA1, ThreatInfoLink, DeviceNameAbout this query
Hunt for malicious files that have been identified by CERT-FR
Source: CERT-FR
Feed link: https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv
Defender XDR
Sentinel
let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join kind=inner CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder TimeGenerated, SHA1, ThreatInfoLink, DeviceName
Explanation
This query is designed to identify potentially malicious files on a network by comparing file hashes from device events with a list of known malicious hashes provided by CERT-FR. Here's a simple breakdown of what the query does:
-
Data Source: It uses an external data source from CERT-FR, which is a CSV file containing SHA1 hashes of known malicious files and their associated threat IDs.
-
Data Retrieval: The query retrieves this data and stores it in a temporary table called
CERTFRFeed. -
Device File Events: It then looks at file events on devices within the network, specifically focusing on the SHA1 hash of files.
-
Joining Data: The query performs an inner join between the device file events and the CERT-FR feed based on the SHA1 hash. This means it only keeps records where there is a match between the file hashes on the devices and those in the CERT-FR list.
-
Threat Information: For each matched file, it creates a link to additional threat information using the threat ID from the CERT-FR feed.
-
Output: Finally, it organizes the output to show the timestamp of the event, the SHA1 hash, a link to more threat information, and the name of the device where the file was found.
The query is essentially a way to cross-reference local file events with a known list of malicious files to identify potential threats and provide additional context for further investigation.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators