Forum Discussion
Create indicators for files in Defender
Hello, I'm looking for some guidelines here when creating a block list for "file hashes". My understanding when defender definitions are updated daily, they already include known & bad file hash...
Hi,
Guessing you're looking at adding these hashes in from a threat intelligence feed you may have received? The key feature I see from creating this block list would be receiving alerts if it is triggered. You're more than likely right on the fact that EDR would block them but then again, better safe than sorry.
If you receive an alert for one of these hashes being triggered it can give you an insight on looking into the user even if it would of originally been blocked by EDR, maybe it was received via a phishing email meaning tweaks need to be made to your threat policies?
Hope this answers your question?
Guessing you're looking at adding these hashes in from a threat intelligence feed you may have received? The key feature I see from creating this block list would be receiving alerts if it is triggered. You're more than likely right on the fact that EDR would block them but then again, better safe than sorry.
If you receive an alert for one of these hashes being triggered it can give you an insight on looking into the user even if it would of originally been blocked by EDR, maybe it was received via a phishing email meaning tweaks need to be made to your threat policies?
Hope this answers your question?
