I base mine entirely on the Command arguments to the application as CMD and Powershell are highly sought after applications for attackers to leverage for malicious intent.  I would be curious to see others opinions on this matter though.

Probably the most common item I ding people on in health checks is simply file matching the powershell file name. This provides an easy exploit to rename any script to the name of the approved-to-run script. (Tangent: this is also why we recommend avoiding users to have access to policy in case they find these issues and not tell the policy admins) 

Limiting command line arguments is a better way to help limit the extent of scope rather than simply allowing cmd or powershell to run. As well, if there’s a script that’s used frequently in the environment and is expected, then adding the hash value to the definition can help ensure that the running script is the approved, tested script.

Thanks for taking time to comment.