Skip to content

[Rule Tuning] PowerShell Script Block Logging Disabled: incorrectly flagging legitimate executable files #4964

New issue
New issue
Closed
#4980
Closed
[Rule Tuning] PowerShell Script Block Logging Disabled: incorrectly flagging legitimate executable files#4964
#4980
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@girtsLv

Description

@girtsLv
girtsLv
opened on Aug 8, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/756a7f49ba55e8eb14d038ce441a5b7e499a48a0/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

The "PowerShell Script Block Logging Disabled" detection rule is incorrectly flagging legitimate Intune executable files (DeviceEnroller.exe, omadmclient.exe) as suspicious.

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions