02-04-2025 04:51 AM
Hi, good day!
I need some help with configuring PowerShell restrictions in Cortex XDR.
I'm currently facing an issue where Cortex XDR has detected a PowerShell script executed from a user endpoint. After investigation, we confirmed that this script is part of a legitimate IT department operation.
Our goal is to allow specific, authorized PowerShell script activity while blocking all other unauthorized or unknown scripts. Based on the documentation, it appears that we need to create a Legacy Agent Exception to permit the approved scripts.
However, we would like to explore if there are more effective or granular methods to achieve this. Are there alternative approaches, such as policy configurations or allowlisting mechanisms, that would provide better control over PowerShell script execution?
Could anyone guide me through the process of implementing the best approach to achieve this?
I really appreciate any insights or recommendations on best practices.
Thanks in advance for your help!
02-07-2025 05:14 AM
Hi @A.ABDULLAH893848, thanks for reaching us using the Live Community.
How often are these IT scripts modified?
You could use the Action Center's Allow List to add the scripts hashes and maintain the list when there is a modification.
The path exception is not usually recommended, but maybe you can create a filename exception by adding to all the scripts files a naming convention like "IT-Script-Something_Description", and you can use a wildcard for that standard name that is unique and only belongs to your environment.
You can find here a nice webinar about Alert Handling and how to create the right exceptions for different use cases.
If this post answers your question, please mark it as the solution.
02-07-2025 05:14 AM
Hi @A.ABDULLAH893848, thanks for reaching us using the Live Community.
How often are these IT scripts modified?
You could use the Action Center's Allow List to add the scripts hashes and maintain the list when there is a modification.
The path exception is not usually recommended, but maybe you can create a filename exception by adding to all the scripts files a naming convention like "IT-Script-Something_Description", and you can use a wildcard for that standard name that is unique and only belongs to your environment.
You can find here a nice webinar about Alert Handling and how to create the right exceptions for different use cases.
If this post answers your question, please mark it as the solution.
02-17-2025 05:01 AM
Dear @jmazzeo,
The IT scripts are modified quite frequently as part of our regular updates and automation improvements. Using the Action Center's Allow List seems like a great solution to ensure that the latest script versions are always accounted for. I’ll explore this option further.
I understand the path exception isn't recommended, but I appreciate your suggestion regarding a unique naming convention. Implementing a pattern like IT-Script-* with a wildcard could definitely simplify exception handling for our environment.
Also, thanks for sharing the link to the webinar on Alert Handling—I'll be sure to check it out!
Thanks again for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
