Hi,
I have one query about Sophos XDR with Application control.
One customer created application control in block mode and cscript.exe is being blocked. But he wanted to find the command line that was attempting to execute this when the application control is in place.
----------------
The customer already tried our suggestion to use live query but the result is, XDR does not gather any telemetry of attempted application executions when the application is blocked via Application Control, only he was able to find the execution string logged in the DataLake or LiveQuery when App Control was not enabled (with command line below)
but after the application was blocked here's the result with the same query for the past hour, there are no results found:
and only general information that it was blocked in the events list which is expected
The question is:
- Is the command line that is attempting to execute but blocked by app control logged anywhere by Sophos (including XDR datalake)? or if it is possible for XDR to capture this information when App Control is in place?
- If not, is this because its not possible to capture that information at the time of attempted execution?
Thank you!