Detection rules › Kusto Query Language
Google Threat Intelligence - Threat Hunting Hash
'Google Threat Intelligence hash correlation.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: source
_Im_FileEvent
Stage 2: where
Hash is_not_null