Technical Tip: How to log PowerShell commands executed in interactive mode in Threat Hunting

With FortiEDR, it is possible to log and search for PowerShell commands executed in interactive mode using Threat Hunting functionality.

To parse event ID 4104, configure the following:

1. The PowerShell logging has to be enabled on the source device. Refer to Microsoft documentation for details: about_Logging_Windows.
   
   
2. 'Event Log Entry Created' events have to be enabled in the Threat Hunting profile, assigned to the devices:
   
   

Once the new event ID 4104 entry is generated on the device, it will be recorded in the Threat Hunting Repository and can be queried with the query: 'EventLog.EventID: ("4104")':

To filter the exact event, i.e., related to a specific security event, use the part of the command as the search condition.

In the sample event network connection to the specific IP was initiated:

It is possible to filter the event log entry containing the command by using the correct event ID and destination as the conditions: 'EventLog.EventID: ("4104")' and *<destination_ip>*: