Skip to content

Instantly share code, notes, and snippets.

@Shivammalaviya
Created September 28, 2021 20:01
Show Gist options
  • Save Shivammalaviya/d7c74e88944b561d7d96ec238877aa51 to your computer and use it in GitHub Desktop.
Save Shivammalaviya/d7c74e88944b561d7d96ec238877aa51 to your computer and use it in GitHub Desktop.
let MaxAge = ago(7d);
let SHA256_whitelist = pack_array(
'hhh' // SHA256 that you want to whitelist.
);
let abuse_ch = (externaldata(sha256_hash: string,signature:string ,vtpercent:string )
[@"https://bazaar.abuse.ch/export/csv/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash,signature,vtpercent;
abuse_ch
| join (DeviceFileEvents
| where Timestamp > MaxAge
) on $left.sha256_hash == $right.SHA256
| project Timestamp,FileName,InitiatingProcessAccountUpn,InitiatingProcessCommandLine,SHA256,signature,vtpercent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment