File Names for Indicators of Compromise

Copper Contributor

Hello Everyone,


Does anyone know if it is possible to block by File Name in Defender for AV? I know in MDE we need the hash. I did not see documentation on this thus far unless I am missing it.



2 Replies
Thanks. To accomplish the task, I created a custom detection rule in MS Defender 365 and set actions to quarantine the file based on KQL query to match by file name.

| where FileName contains "test_basic_batch.bat"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA1, InitiatingProcessCommandLine, RequestAccountName, InitiatingProcessAccountUpn, DeviceId, ReportId