Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save tuantmb/917cd81dd669f34f2391a7f0310fd069 to your computer and use it in GitHub Desktop.
Save tuantmb/917cd81dd669f34f2391a7f0310fd069 to your computer and use it in GitHub Desktop.
let MaxAge = ago(7d);
let SHA256_whitelist = pack_array(
'hhh' // SHA256 that you want to whitelist.
);
let abuse_ch = (externaldata(sha256_hash: string,signature:string ,vtpercent:string )
[@"https://bazaar.abuse.ch/export/csv/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash,signature,vtpercent;
abuse_ch
| join (DeviceFileEvents
| where Timestamp > MaxAge
) on $left.sha256_hash == $right.SHA256
| project Timestamp,FileName,InitiatingProcessAccountUpn,InitiatingProcessCommandLine,SHA256,signature,vtpercent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment