From 168df94b73b080ef5918d401bc9c37618fd3caa7 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 2 Sep 2022 17:36:10 +0200
Subject: [PATCH] Update proc_creation_win_susp_clsid_foldername.yml

---
 .../proc_creation_win_susp_clsid_foldername.yml                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
index 4d3178252..55e39ac5e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
@@ -30,7 +30,7 @@ detection:
     condition: all of selection_* and not filter
 falsepositives:
     - Some FP is expected with some installers
-level: high
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1027