Now this mode only has observation mode, I hope to add interception mode in the future, for example, if the high risk level exceeds a certain score, automatic interception will be triggered and threat chart will be automatically built
Hi Leung233,
Thanks for reaching out to the Sophos Community Forum.
The detections you are seeing here typically require more analysis to determine all of what may be impacted on your environment. Creating an automated response based on the information Sophos ingests may be possible in the future, but I'm not aware of any immediate plans to develop something like this. The need to have a more intimate understanding of your network and environment is why incident response teams exist today.
If the powershell command you've highlighted here is run by a user logged in normally into a workstation, a detection may not be raised. An adversary with elevated access to your systems running commands under the "normal user context" may not be detected by an antivirus due to the commands being seen as legitimate.
If there is another process on the system which tries to execute this PowerShell command, that will be detected as malicious.
Do let me know if this helps, and if I understood your question correctly.