False positive when amazon workspaces is running and doing its weird little things

rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml

@@ -2,8 +2,9 @@ title: Suspicious PowerShell Sub Processes
 id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
 description: Detects suspicious sub processes spawned by PowerShell
 status: experimental
-author: Florian Roth
+author: Florian Roth, Tim Shelton
 date: 2022/04/26
+modified: 2022/07/14
 references:
     - https://twitter.com/ankit_anubhav/status/1518835408502620162
 logsource:
@@ -28,7 +29,10 @@ detection:
             - '\rundll32.exe'
             - '\forfiles.exe'
             - '\scriptrunner.exe'
-    condition: selection
+    falsepositive:
+        ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
+        CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
+    condition: selection and not falsepositive
 falsepositives:
     - Unknown
 level: high