diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
deleted file mode 100644
index 5a1abf5ee..000000000
--- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Alternate PowerShell Hosts Module Load
-id: f67f6c57-257d-4919-a416-69cd31f9aac3
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
-tags:
-    - attack.execution
-    - attack.t1086
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection: 
-        EventID: 7
-        Description: 'system.management.automation'
-        ImageLoaded|contains: 'system.management.automation'
-    filter:
-        Image|endswith: '\powershell.exe'
-    condition: selection and not filter
-falsepositives:
-    - Programs using PowerShell directly without invocation of a dedicated interpreter.
-level: high
diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
index fb702e8a2..067cd3709 100644
--- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
+++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml
@@ -18,7 +18,9 @@ detection:
         EventID: 17
         PipeName|startswith: '\PSHost'
     filter:
-        Image|endswith: '\powershell.exe'
+        Image|endswith:
+           - '\powershell.exe'
+           - '\powershell_ise.exe'
     condition: selection and not filter
 fields:
     - ComputerName
diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml
index 76d5b989f..56e6e4530 100644
--- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml
+++ b/rules/windows/sysmon/sysmon_in_memory_powershell.yml
@@ -23,6 +23,7 @@ detection:
     filter:
         Image|endswith:
             - '\powershell.exe'
+            - '\powershell_ise.exe'
             - '\WINDOWS\System32\sdiagnhost.exe'
        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
     condition: selection and not filter