diff --git a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml
index fbeedaad1..92cb14f0e 100644
--- a/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml
+++ b/rules/windows/sysmon/Office_Applications_Spawning_WMI_command-line.yml
@@ -1,25 +1,23 @@
-title: Office Applications Spawning WMI command-line (sysmon)
+title: Office Applications Spawning Wmi Cli
 description: Initial execution of malicious document calls wmic to execute the file with regsvr32
 references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: "Idea by: Vadim Khrykov"
+    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)"
 tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defence_evasion
+    - attack.t1204.002
+    - attack.t1047
+    - attack.t1218.010
+    - attack.execution
+    - attack.defence_evasion
 status: experimental
 Date: 2021/23/8
 logsource:
   product: windows
-  service: sysmon
   category: process_creation
 detection:
-  description: Add more office applications to the rule logic of choice
+  #useful_information: Add more office applications to the rule logic of choice
   selection1:
-    EventLog: Microsoft-Windows-Sysmon/Operational
     EventID: 1
   selection2:
     - Image: '\wbem\WMIC.exe'
@@ -33,5 +31,5 @@ detection:
       - powerpnt.exe
   condition: selection1 AND selection2 AND selection3
 falsepositives:
-- ""
-level: high
\ No newline at end of file
+- Unknown
+level: high