KQL Search

Query Details

TI Feed CERT FR MISP Feed

Query

# Hunt for malicious files that have been identified by CERT-FR

#### Source: CERT-FR
#### Feed link: https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv

### Defender For Endpoint

```
let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder Timestamp, SHA1, ThreatInfoLink, DeviceName
```
### Sentinel
```
let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder TimeGenerated, SHA1, ThreatInfoLink, DeviceName
```

Explanation

The query is searching for malicious files that have been identified by CERT-FR. It retrieves data from the CERT-FR feed, which contains information about SHA1 hashes and threat IDs. The query then joins this data with the DeviceFileEvents table and adds a ThreatInfoLink field that provides additional information about the hash. The final result includes the timestamp (or time generated in Sentinel), SHA1 hash, ThreatInfoLink, and the device name.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceFileEvents

Keywords

Devices,Intune,User

Operators

externaldatajoinextendstrcatproject-reorder

KQL Search

TI Feed CERT FR MISP Feed

Query

Explanation

Details

Actions