Couple ways I do it, one is with SOAR, and use a playbook to launch a load of the hashes and then a query back to the specific concentrators or decoders creating alerts when finding the specific use case. Other way I know is to build a app rule with the specific query and then carve from there. I think RSA recommends this in the hunting process as well for malicious indicators.
