LoFP / some false positive is to be expected from powershell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. apply additional filters for those scripts when needed.

condition: selection and not 1 of filter_optional_*
filter_optional_amazon:
  CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\
  ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\
selection:
  Image|endswith:
  - \bash.exe
  - \bitsadmin.exe
  - \certutil.exe
  - \cscript.exe
  - \forfiles.exe
  - \hh.exe
  - \mshta.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \schtasks.exe
  - \scrcons.exe
  - \scriptrunner.exe
  - \sh.exe
  - \wmic.exe
  - \wscript.exe
  ParentImage|endswith:
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe