let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)
Caleb Oni
You have a Microsoft Sentinel workspace.
You create the following analytics query.
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)
| extend
timestamp = TimeGenerated,
AccountCustomEntity = User,
HostCustomEntity = DvcHostname,
FileHashCustomEntity = TargetFileMD5,
AlgorithmCustomEntity = "MD5"
You need to add the query to the workspace.
What should you do first?
1 month ago | [YT] | 5