Without looking at the rule you are using, I think the problem with the rule you're using is that you're only protected if PowerShell has a child process.  What if it doesn't?  

I would do something more like this:

Rule {
	Process {
		Include OBJECT_NAME { -v "**" }
	}
	Target {
		Match PROCESS {
			Include OBJECT_NAME {
				-v "powershell.exe"
				-v "pwsh.exe"
			}
			Include PROCESS_CMD_LINE {
				#Not sure what you're wanting to block.. assuming below based upon your event
				-v "**bypass**"
				#some other good things
				-v "**-en **"
				-v "**-enc**"
				-v "**iex**"
			}
			Exclude PROCESS_CMD_LINE {
				#allowing your script to work
				-v "**zen_executeRunscript_????_*.ps1\""
			}
                        Include -access "CREATE"
		}
	}
}

thank you for the follow up.

i am not looking to block any.  I am looking to only report on all powershell except for a few known specific, such as the zen one.

we will block by other methods.

when you have a moment, please clarify what the '#some other good things' are?

Thanks.

By "some other good things," I meant good things to monitor for.  But if you want to watch for everything, just remove the whole "Include PROCESS_CMD_LINE" section, and then you will capture everything other than what is in the "Exclude PROCESS_CMD_LINE" section.

thank you for the follow ups.

i will work through these to see if i can get something to work...meaning reports all except for what is trusted or excluded.

i will take another look at reports > exploit prevention to see if i can get success that way.  thanks.

Daveb3d, thanks for the start of the expert rule.  If i use that, i would need to turn off the analyzer id's i enabled in my exploit prevention policy - is that correct?

a clarification question I have, many docs reference a caller process.  it is not clear in the mcafee incident which one it is referencing.  in my above pic [message 2] is the caller process the api name, powershell or 'Target Parent Process Name'?

Thanks again.

You wouldn't need to turn other rules off, but you might get some duplication.

The caller, i believe, is the parent. I think your rule had PowerShell as this, but mine was whatever spawned PowerShell.  

Dave

sorry for the delay.  still working on this as time permits.

i have been trying to explore the expert rules.  i still get that sub process generating an alert.

i will look more at it as i am also trying to encompass the exploit prevention powershell id's into expert rule.

i will touch base soon.  thanks for the guidance.