Forum Discussion
File Names for Indicators of Compromise
Hello Everyone,
Does anyone know if it is possible to block by File Name in Defender for AV? I know in MDE we need the hash. I did not see documentation on this thus far unless I am missing it.
Thanks
2 Replies
BxLoz25 looks like File Hash is the available option https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/allow-block-files?view=o365-worldwide
- Thanks. To accomplish the task, I created a custom detection rule in MS Defender 365 and set actions to quarantine the file based on KQL query to match by file name.
```
DeviceFileEvents
| where FileName contains "test_basic_batch.bat"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA1, InitiatingProcessCommandLine, RequestAccountName, InitiatingProcessAccountUpn, DeviceId, ReportId
```
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
