Suspicious PowerShell Engine ImageLoad

host.os.type:windows and event.category:library and
  dll.name:("System.Management.Automation.dll" or "System.Management.Automation.ni.dll") and
  not (
    process.code_signature.subject_name:(
      "Microsoft Corporation" or
      "Microsoft Dynamic Code Publisher" or
      "Microsoft Windows"
    ) and process.code_signature.trusted:true and not process.name.caseless:"regsvr32.exe"
  ) and
  not (
    process.executable:(C\:\\Program*Files*\(x86\)\\*.exe or C\:\\Program*Files\\*.exe) and
    process.code_signature.trusted:true
  ) and
  not (
    process.executable: C\:\\Windows\\Lenovo\\*.exe and process.code_signature.subject_name:"Lenovo" and
    process.code_signature.trusted:true
  ) and
  not (
    process.executable: C\:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe and
    process.code_signature.subject_name:"PDQ.com Corporation" and
    process.code_signature.trusted:true
  ) and
  not (
    process.name: (_is*.exe or "DellInstaller_x64.exe") and
    process.code_signature.subject_name:("Dell Technologies Inc." or "Dell Inc" or "Dell Inc.") and
    process.code_signature.trusted:true
  ) and
  not (
    process.executable: C\:\\ProgramData\\chocolatey\\* and
    process.code_signature.subject_name:("Chocolatey Software, Inc." or "Chocolatey Software, Inc") and
    process.code_signature.trusted:true
  ) and
  not (
    process.name: "Docker Desktop Installer.exe" and
    process.code_signature.subject_name:"Docker Inc" and
    process.code_signature.trusted:true
  ) and
  not process.executable : (
    "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or
    "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
  )