This detection rule identifies PowerShell processes that are initiated with command-line parameters bypassing the execution policy. By focusing on the use of flags such as `-ex` (execution policy bypass) or `bypass`, the rule detects potentially malicious activity as attackers often exploit this feature to run harmful scripts without detection. The detection leverages data from Endpoint Detection and Response (EDR) tools, specifically analyzing command-line executions from processes relevant to security, such as Sysmon and Windows Event Log Security. If such executions are flagged as malicious, they may open the door for attackers to execute arbitrary code, lead to data exfiltration, or establish persistent access within target environments, posing significant risks to organizational security. The rule ensures that any identified incidents can be traced back to specific users and processes, thereby facilitating a detailed investigative workflow.