Am I able to search for commands which have been executed within Windows command prompt or powershell?

• Hosted EDR: 7.2+
• EDR Server: 7.2+
• EDR Windows Sensor: 7.1+ 

Before EDR Sensor 7.1.0 release, all interactive commands which are executed either within command prompt or powershell are not captured before EDR Windows Sensor 7.1.0. For example, if you opened powershell and tried using the 'Get-ChildItem' cmdlet to list or get the items in a specific location, EDR Windows sensor versions before 7.1.0 would not record these events. Only external processes/binaries/services which were launched/spawned/invoked from cmd or powershell would be captured.

As of the release of EDR Windows Sensor 7.1.0, Anti Malware Scanning Interface (AMSI) support was added to capture these events inside of Powershell, but AMSI support for Windows command prompt was not yet implemented. Using this AMSI feature also requires EDR Server 7.2 or newer to collect the events, which can then be forwarded to a SIEM for viewing using the Event Forwarder. The EDR Server 7.4 and older do not have the ability to display these events in the console, so the event forwarder is required.

• Full support for searching and displaying Powershell AMSI events in the EDR console is planned for the EDR Server 7.6 release. Windows command prompt AMSI event support is not yet implemented as of EDR 7.8.0.