i have one policy with a 'Monitor Powershell usage' rule that was setup and reports in and I see data in a query.
In the second policy, i created a new rule and name it 'Monitor Powershell usage W10'. but this does not show up as a "threat name" for queries. I have block and report selected in both rules for testing. Yes it blocks.
when testing the second policy on a system, the policy is applied and functions but does not report.
what am i missing that it does not report back to ePO console?
Re: Powershell reporting in access protection does not show
Hi, Thank you for the follow up.
I am not clear on what you are asking here - "Does the second query show up on the Locally on Endpoint ?"
on the endpoint in the access protection log, i get no errors and the correct entry.
2/2/2021 7:45:59 AM mfeesp(5920.1488) <SYSTEM> ApBl.AP.Activity: domain\user ran C:\Windows\System32\cmd.exe, which tried to access the file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, violating the rule "Monitor PowerShell Usage W10", and was blocked. For information about how to respond to this event, see KB85494.
Issue is, 1. i am not able to create report in epo for specified rule above as that rule does not show as a threat name. 2. the endpoint does not appear to be sending events to epo for this rule. I tested with eicar also and the event for eicar did show in epo.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.