One of our users is experiencing a problem when it comes to creating scripts in the powershell ISE, when they are autosaved to appdata, it blocks them on his machine and does not create an alert/incident in the defender ATP portal.

However one has managed to appear in the portal (see screenshot). We only recently implemented Defender ATP so im not 100% sure how to interpret the alert, and since this behaviour isnt happening on anyone elses machine I dont know if white listing powershell_ise.exe is a good idea (i assume not), or if theres a better explanation for it?

The current defender ATP settings are the stock standard for GPO as stated in the deployment guide.

Appreciate any help with this!