diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index a843a4fda..27ebcc03c 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -171,7 +171,7 @@ logsources:
    category: file_change
    conditions:
      product_name: "Sysmon"
-     vendor_id: "11"
+     vendor_id: "2"
  windows-pipe-created:
    product: windows
    category: pipe_created