12-10-2025 01:20 AM - edited 12-10-2025 01:24 AM
Hello,
Please, how to force XDR Agent to capture all commands on CMD and PowerShell without GPO?
For example, we can detect quser command, but we can't detect Set-Alias command.
The problem is another vendor can detect any command line running in memory.
Best regards.
12-10-2025 01:27 PM
dataset = xdr_data
| filter (event_type = 31 and event_sub_type = 10) or (event_type = 15 and action_evtlog_event_id IN (4104))
| alter script_data = if (event_type = 15, action_evtlog_message , to_string(dynamic_event_string_map))
| fields agent_hostname,
event_type,
event_sub_type,
actor_process_image_path,
actor_process_os_pid,
actor_process_image_md5,
actor_process_signature_vendor,
actor_process_signature_status,
actor_effective_username,
script_dataYou need to find the data you are looking for. Use this xql query to narrow things down.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
