Query Details

Hunt for malicious files that have been identified by CERT-FR

TI Feed CERT FR MISP Feed

Query

let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join kind=inner CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder Timestamp, SHA1, ThreatInfoLink, DeviceName

About this query

Hunt for malicious files that have been identified by CERT-FR

Source: CERT-FR

Feed link: https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv

Defender XDR

Sentinel

let CERTFRFeed = externaldata (SHA1: string, threatid :string) ["https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv"];
DeviceFileEvents
| join kind=inner CERTFRFeed on SHA1
// Additional information about the hash is available by using the ThreatInfoLink field.
| extend ThreatInfoLink = strcat("https://misp.cert.ssi.gouv.fr/feed-misp/", threatid, ".json")
| project-reorder TimeGenerated, SHA1, ThreatInfoLink, DeviceName

Explanation

This query is designed to identify potentially malicious files on a network by comparing file hashes from device events with a list of known malicious hashes provided by CERT-FR. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external data source from CERT-FR, which is a CSV file containing SHA1 hashes of known malicious files and their associated threat IDs.

  2. Data Retrieval: The query retrieves this data and stores it in a temporary table called CERTFRFeed.

  3. Device File Events: It then looks at file events on devices within the network, specifically focusing on the SHA1 hash of files.

  4. Joining Data: The query performs an inner join between the device file events and the CERT-FR feed based on the SHA1 hash. This means it only keeps records where there is a match between the file hashes on the devices and those in the CERT-FR list.

  5. Threat Information: For each matched file, it creates a link to additional threat information using the threat ID from the CERT-FR feed.

  6. Output: Finally, it organizes the output to show the timestamp of the event, the SHA1 hash, a link to more threat information, and the name of the device where the file was found.

The query is essentially a way to cross-reference local file events with a known list of malicious files to identify potential threats and provide additional context for further investigation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceFileEvents

Keywords

DeviceFileEventsThreatInfoLinkTimestampNameTimeGenerated

Operators

letexternaldatajoinonextendstrcatproject-reorder

Actions

GitHub