Shivammalaviya/Threat Hunting for File Hashes as an IOC

## Threat Hunting for File Hashes as an IOC
let MaxAge = ago(7d);
let SHA256_whitelist = pack_array(
'hhh' // SHA256 that you want to whitelist.
);
let abuse_ch = (externaldata(sha256_hash: string,signature:string ,vtpercent:string )
[@"https://bazaar.abuse.ch/export/csv/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash,signature,vtpercent;
abuse_ch
| join (DeviceFileEvents
| where Timestamp > MaxAge
) on $left.sha256_hash == $right.SHA256
| project Timestamp,FileName,InitiatingProcessAccountUpn,InitiatingProcessCommandLine,SHA256,signature,vtpercent
	let MaxAge = ago(7d);
	let SHA256_whitelist = pack_array(
	'hhh' // SHA256 that you want to whitelist.
	);
	let abuse_ch = (externaldata(sha256_hash: string,signature:string ,vtpercent:string )
	[@"https://bazaar.abuse.ch/export/csv/recent/"]
	with (format="txt"))
	\| where sha256_hash !startswith "#"
	\| project sha256_hash,signature,vtpercent;
	abuse_ch
	\| join (DeviceFileEvents
	\| where Timestamp > MaxAge
	) on $left.sha256_hash == $right.SHA256
	\| project Timestamp,FileName,InitiatingProcessAccountUpn,InitiatingProcessCommandLine,SHA256,signature,vtpercent