This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 45%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
why the powershell_ise.exe command lines don't appear on Azure Sentinel Result. Please see the attached 
I have run a few commands. However, the don't appear on azure sentinel results. It only says the process was started.
Powershell_ISE is an interactive (GUI) program. It is typically launched by a desktop user without any command line switches..
It only says the process was started.
Are you trying to run the program or just reporting on the fact that someone else ran the program?
Somebody else performed a few activities via powershell_ise. I wanted to make sure that Azure Sentinel captures the Command line. However, it doesn't appear to be capturing powershell_ise commands.
It appears to only be capturing the initial command line. Your image shows powershell.exe executing an SCCM script. Does Sentinal capture every executable that those scripts call? Like ipconfig.exe or net.exe or msiexec.exe? Or do they show up as a separate entry?
Powershell_ISE is typically not launched with any command line parameters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Assuming the two lines of code you posted are supposed to be written in PowerShell (which they don't appear to be), your problem is that you're trying to use an exact string match in each element of an array, and there isn't an exact match to be found. Either change your search use "Powershell_ISE.exe" or, if you just want to find every occurrence of the SUBSTRING "powershell", then look at the results of this code:
$c = "powershell_ISE.exe", "PowerShell.exe"
$c -contains "powershell" # won't find 'powershell'
$c |
ForEach-Object{
if ($_ -like "powershell"){"$_ ? Found it (string)"} else {" $_ ? Nope. Still not there! (string)"}
if ($_ -like "powershell*"){"$_ ? Found it (wildcard!)"} else {"$_ ? Nope. Still not there! (wildcard)"}
}
Hi there,
I guess this is by design.
Azure Sentinel can collect data on all users, devices, applications, and infrastructure both on-premises and across multiple cloud environments. It can easily connect to security sources out-of-the-box. There are several connectors available for Microsoft solutions that provide real-time integration and sentinel might not capture the PowerShell scripts executed.
I hope this information helps. If you have any questions please let me know and I will be glad to help you out.
------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--