With FortiEDR, it is possible to log and search for PowerShell commands executed in interactive mode using Threat Hunting functionality.

To parse event ID 4104, configure the following:

1. The PowerShell logging has to be enabled on the source device. Refer to Microsoft documentation for details: about_Logging_Windows.
   
   
2. 'Event Log Entry Created' events have to be enabled in the Threat Hunting profile, assigned to the devices:
   
   

Once the new event ID 4104 entry is generated on the device, it will be recorded in the Threat Hunting Repository and can be queried with the query: 'EventLog.EventID: ("4104")':

To filter the exact event, i.e., related to a specific security event, use the part of the command as the search condition.

In the sample event network connection to the specific IP was initiated:

It is possible to filter the event log entry containing the command by using the correct event ID and destination as the conditions: 'EventLog.EventID: ("4104")' and *<destination_ip>*: