https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-quot-script-activity-245655498-quot/m-p/594458#M7052 <P>Hello everyone,</P> <P>&nbsp;</P> <P>I just received this alert "<SPAN>Script Activity - 245655498</SPAN>" with this description "<SPAN>Suspicious script with keywords written in a non-standard way.</SPAN>" in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no documentation on this.</P> <P>&nbsp;</P> <P>Alert source: XDR Agent</P> <P>Initiator and CGO path are the same in one of the alerts:&nbsp;"C:\Program Files\PowerShell\7\pwsh.exe" -WindowStyle Minimized -file c:\folder1\script.ps1</P> <P>&nbsp;</P> <P>Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 09 Aug 2024 07:49:56 GMT Arman_Zaheri 2024-08-09T07:49:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-quot-script-activity-245655498-quot/m-p/594458#M7052 <P>Hello everyone,</P> <P>&nbsp;</P> <P>I just received this alert "<SPAN>Script Activity - 245655498</SPAN>" with this description "<SPAN>Suspicious script with keywords written in a non-standard way.</SPAN>" in Cortex multiple times related to PowerShell script execution on a developer machine. The executed scripts were different and I don't know why Cortex is blocking such executions. There is also no documentation on this.</P> <P>&nbsp;</P> <P>Alert source: XDR Agent</P> <P>Initiator and CGO path are the same in one of the alerts:&nbsp;"C:\Program Files\PowerShell\7\pwsh.exe" -WindowStyle Minimized -file c:\folder1\script.ps1</P> <P>&nbsp;</P> <P>Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 09 Aug 2024 07:49:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-quot-script-activity-245655498-quot/m-p/594458#M7052 Arman_Zaheri 2024-08-09T07:49:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-quot-script-activity-245655498-quot/m-p/595244#M7087 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/922167235">@Arman_Zaheri</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on live community!</P> <P>This alert is due to the use of suspicious keywords/parameters in the script which may inline with malicious behaviour. Please investigate the causality chain and the involved command line. If script is benign and executed by your employees for legitimate purpose then you may need to create exception for it. To create exception, identify the module which triggered the alert from alert table. Then based on either script location or command line you can create exception for the module and apply to particular profile which was applied to developer machines.</P> <P>Please open a support case if you need more help with alert investigation/exception.</P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Mon, 19 Aug 2024 16:13:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-quot-script-activity-245655498-quot/m-p/595244#M7087 nsinghvirk 2024-08-19T16:13:50Z