Monitoring blocked Powershell events

Hello Community,

Currently we are blocking all powershell interaction on all clients in our company via the Application Control feature in sophos central.

We are aware that a lot of applications are using powershell for updating their services and stuff like that.

Currently we are missing any option to monitor the activity which process are trying to execute powershell.

In the Logs & Reports section we just see that the user tried to execute the powershell.exe but not which process.

On the Logs of the client itselfe we just get an entry "Powershell got blocked by the administrator".

With Sophos Live Discover we just see successfully executed Powershell commands so that doesnt help us as well.

Does someone know how we can review the processes which tried to execute powershell but got blocked by sophos?

Thanks in forward!

Sincerely Yours.

Parents Reply Children
No Data