Files matching known malicious hashes from abuse.ch’s recent threat feed may indicate the presence of recently active malware, and proactively hunting for these hashes in Azure Sentinel helps identify potential compromise early before further damage occurs. SOC teams should prioritize this hunt to quickly isolate and remediate threats leveraging real-time threat intelligence.
KQL Query
let MaxAge = ago(1d);
let AbuseFeed = toscalar (
(externaldata(report:string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format = "txt"))
| where report !startswith '#'
| summarize make_set(report)
);
union (
DeviceProcessEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceFileEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceImageLoadEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
)
id: 8bd9e7c0-82b9-43b4-b58e-53d1ee6d9180
name: Abuse.ch Recent Threat Feed (1)
description: |
This query will hunt for files matching the current abuse.ch recent threat feed based on Sha256. Currently the query is set up to analyze the last day worth of events, but this is configurable using the MaxAge variable.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceFileEvents
- DeviceImageLoadEvents
tactics:
- Execution
- Persistence
- Privilege escalation
- Credential Access
- Discovery
- Impact
- Exploit
- Malware, component
- Ransomware
query: |
let MaxAge = ago(1d);
let AbuseFeed = toscalar (
(externaldata(report:string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format = "txt"))
| where report !startswith '#'
| summarize make_set(report)
);
union (
DeviceProcessEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceFileEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
), (
DeviceImageLoadEvents
| where Timestamp > MaxAge and SHA256 in (AbuseFeed)
)
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update from a trusted vendor
Example: A Windows Update or a patch from Microsoft, or a security tool like CrowdStrike or SentinelOne performing a scheduled update.
Filter/Exclusion: Exclude files signed by Microsoft or known vendors using the file.hash.sha256 field with a whitelist of known good hashes or use the file.malware field to exclude benign files.
Scenario: Scheduled backup or archive process
Example: A backup job using Veeam, Acronis, or a script using tar or rsync that generates temporary or archive files with SHA256 hashes matching the threat feed.
Filter/Exclusion: Exclude files with specific process names like veeam.exe, acronis.exe, or tar using the process.name field. Also, use file.path to exclude known backup directories.
Scenario: Admin task or script execution
Example: A system administrator running a script using PowerShell or Python to perform routine maintenance, which may generate temporary files with SHA256 hashes that match the threat feed.
Filter/Exclusion: Exclude processes with process.name like powershell.exe or python.exe and use user.name to filter out admin accounts or specific users running scripts.
Scenario: Log file or temporary file generation
Example: A log file generated by a service like Splunk, ELK Stack, or a system service such as syslogd or rsyslogd that includes temporary files with SHA256 hashes matching the threat feed.
Filter/Exclusion: Exclude files with file.path containing known log directories (e.g., /var/log/, /var/opt/) or use file.type to exclude log files.
**Scenario: