diff --git a/11_file_create/exclude_psscriptpolicytest.xml b/11_file_create/exclude_psscriptpolicytest.xml
index 95dc68a6..44ae1058 100644
--- a/11_file_create/exclude_psscriptpolicytest.xml
+++ b/11_file_create/exclude_psscriptpolicytest.xml
@@ -11,6 +11,11 @@
                <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
                <User condition="is">NT AUTHORITY\SYSTEM</User>
             </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
          </FileCreate>
       </RuleGroup>
    </EventFiltering>
diff --git a/11_file_create/exclude_psscriptpolicytest_user.xml b/11_file_create/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..8c5abe43
--- /dev/null
+++ b/11_file_create/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.30">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileCreate onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileCreate>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/23_file_delete/exclude_psscriptpolicytest.xml b/23_file_delete/exclude_psscriptpolicytest.xml
new file mode 100644
index 00000000..c8bba3e3
--- /dev/null
+++ b/23_file_delete/exclude_psscriptpolicytest.xml
@@ -0,0 +1,22 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDelete onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\wsmprovhost.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+         </FileDelete>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/23_file_delete/exclude_psscriptpolicytest_user.xml b/23_file_delete/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..d548643c
--- /dev/null
+++ b/23_file_delete/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDelete onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileDelete>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/26_file_delete_detected/exclude_psscriptpolicytest.xml b/26_file_delete_detected/exclude_psscriptpolicytest.xml
new file mode 100644
index 00000000..945ac740
--- /dev/null
+++ b/26_file_delete_detected/exclude_psscriptpolicytest.xml
@@ -0,0 +1,22 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDeleteDetected onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\wsmprovhost.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Windows\Temp;__PSScriptPolicyTest;.ps1</TargetFilename>
+               <User condition="is">NT AUTHORITY\SYSTEM</User>
+            </Rule>
+         </FileDeleteDetected>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file
diff --git a/26_file_delete_detected/exclude_psscriptpolicytest_user.xml b/26_file_delete_detected/exclude_psscriptpolicytest_user.xml
new file mode 100644
index 00000000..f1a67440
--- /dev/null
+++ b/26_file_delete_detected/exclude_psscriptpolicytest_user.xml
@@ -0,0 +1,16 @@
+<Sysmon schemaversion="4.60">
+   <EventFiltering>
+      <RuleGroup name="" groupRelation="or">
+         <FileDeleteDetected onmatch="exclude">
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+            <Rule groupRelation="and">
+               <Image condition="is">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Image> 
+               <TargetFilename condition="contains all">C:\Users\;\AppData\Local\Temp\;__PSScriptPolicyTest;.ps1</TargetFilename>
+            </Rule>
+         </FileDeleteDetected>
+      </RuleGroup>
+   </EventFiltering>
+</Sysmon>
\ No newline at end of file