We found a couple of ways to do this:
Using Sysmon events and setting a rule to look for powershell
Or enabling powershell script block logging and forwarding those events.With powershell you can look for the ToolAlias and those are all your PS events.