File Names for Indicators of Compromise

BxLoz25 · ‎Nov 22 2022

Hello Everyone,

Does anyone know if it is possible to block by File Name in Defender for AV? I know in MDE we need the hash. I did not see documentation on this thus far unless I am missing it.

Thanks

Ambarish RH · ‎Nov 22 2022

@BxLoz25 looks like File Hash is the available option Allow or block files using the Tenant Allow/Block List - Office 365 | Microsoft Learn

BxLoz25 · ‎Nov 23 2022

Thanks. To accomplish the task, I created a custom detection rule in MS Defender 365 and set actions to quarantine the file based on KQL query to match by file name.

```
DeviceFileEvents
| where FileName contains "test_basic_batch.bat"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA1, InitiatingProcessCommandLine, RequestAccountName, InitiatingProcessAccountUpn, DeviceId, ReportId
```
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w...

File Names for Indicators of Compromise

File Names for Indicators of Compromise

Re: File Names for Indicators of Compromise

Re: File Names for Indicators of Compromise

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

File Names for Indicators of Compromise