From 39b41b5582ac76ddd8fe694ce31dc6288d60b631 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 28 May 2020 10:13:38 +0200
Subject: [PATCH] rule: moved DebugView rule to process creation category

---
 .../win_susp_renamed_debugview.yml}                            | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 rename rules/windows/{sysmon/sysmon_susp_renamed_debugview.yml => process_creation/win_susp_renamed_debugview.yml} (93%)

diff --git a/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml
similarity index 93%
rename from rules/windows/sysmon/sysmon_susp_renamed_debugview.yml
rename to rules/windows/process_creation/win_susp_renamed_debugview.yml
index 065bc8919..dcab5bd63 100644
--- a/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml
+++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml
@@ -7,11 +7,10 @@ references:
 author: Florian Roth
 date: 2020/05/28
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Product: 
             - 'Sysinternals DebugView'
             - 'Sysinternals Debugview'