File Names for Indicators of Compromise

New Contributor

Hello Everyone,

 

Does anyone know if it is possible to block by File Name in Defender for AV? I know in MDE we need the hash. I did not see documentation on this thus far unless I am missing it.

 

Thanks

2 Replies
Thanks. To accomplish the task, I created a custom detection rule in MS Defender 365 and set actions to quarantine the file based on KQL query to match by file name.

```
DeviceFileEvents
| where FileName contains "test_basic_batch.bat"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA1, InitiatingProcessCommandLine, RequestAccountName, InitiatingProcessAccountUpn, DeviceId, ReportId
```
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w...