unable to create suppression rule

Hi all,

we are receiving alerts for the below script but when we close it it does not create a rule.

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8;" " Get-LocalUser | ForEach-Object { $userName = $_.Name $output = net user $userName $lastLogonLine = $output | Where-Object { $_ -match '^ *Last logon' } if ($lastLogonLine) { if ($lastLogonLine -match 'Last logon\s+(.*)') { $lastLogon = $matches[1].Trim() } else { $lastLogon = \"Not found\" } } else { $lastLogon = \"Not found\" } [PSCustomObject]@{ UserName = $userName LastLogon = $lastLogon } } | ConvertTo-Json -Compress "

This is legitimate. I am trying to add a rule but in " select response", the only option available is device isolation. So I don't want to proceed with the above script. Is there any other way that we can stop receiving alerts ?

Find more posts tagged with

Accepted answers

All comments

SMF

Actually. I've used false positive now. so hopefully it will not notify for all devices. 🤞

SMF

would the recommended method still send notifications after auto closing ?

Sethu Laks

Hi @SMF

Thanks for reaching out to the WithSecure Community,

What you’re seeing is expected behavior when legitimate activity (in this case, your PowerShell script) triggers a Broad Context Detection (BCD). I’ll outline how this works and the correct steps to suppress these alerts so they don’t continue to reappear.

1. Recommended Method: Use Accepted Behavior to Create a Suppression Rule

The intended way to silence recurring BCDs for legitimate activity is through the Accepted Behavior workflow.

To create a suppression rule for your script:

Locate the specific BCD triggered by the script and change its status to Closed.
Set the Resolution to Accepted Behavior.
A pop-up should appear asking whether you want to create a suppression rule. Select Yes to launch the Suppression Rule Wizard.

It’s important to note that simply marking a BCD as Accepted Behavior does not automatically suppress future alerts — the suppression rule created via the wizard is what actually prevents similar BCDs from reappearing. Once a rule is in place, matching BCDs will be automatically closed as Auto-Accepted Behavior.

Why a Suppression Rule May Not Appear

If you set the resolution to Accepted Behavior but never see the wizard, this can be due to current limitations:

The feature initially supported BCDs with five or fewer key detections. If your script triggers a more complex detection chain, self-service rule creation may be restricted.
Suppression rules are created per “key detection,” and all detections must be suppressible for the rule to be created.

2. About the “Select Response” Limitation You Saw

The interface shown in your screenshot is for Automated Actions, which is a different mechanism.

Automated Actions (under Security Configurations > Automated actions) trigger containment or escalation actions like Device isolation or Auto-elevate.
These are not intended to suppress legitimate alerts, which is why the options you saw didn’t match your needs.

For your use case, Automated Actions are not the correct tool.

3. Other Options If Accepted Behavior Suppression Isn’t Available

A. Use “False Positive” Closure (If the Alert Is Identical Every Time)

If your script always triggers a BCD with the same fingerprint:

Close the BCD and set the resolution to False Positive.
Any identical future BCDs will be automatically closed as Auto-False Positive.

This only works when the activity pattern does not vary between runs.

B. Request Official Allow-Listing

If neither Accepted Behavior nor False Positive suppression works, you can request an allow-listing via Support:

Go to Elements Portal > Support > Request for allowlisting.
This sends the detection to WithSecure’s DRT team, who can whitelist it at a deeper engine level — preventing the BCD from being created at all.

This is the recommended path for stable, known-good behavior that repeatedly triggers detections.

Summary

To suppress alerts for your legitimate PowerShell script:

First try: Mark the BCD as Accepted Behavior and create a suppression rule through the wizard.
If the behavior is always identical: Mark the BCD as False Positive to enable auto-false-positive closure.
If those options are unavailable or insufficient: Submit a whitelisting request via Support.

If you run into any issues with these steps, feel free to share more details — we can help you troubleshoot from there.