diff --git a/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml b/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
index f6b2d52f8..ddbda73a2 100644
--- a/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
+++ b/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml
@@ -24,7 +24,7 @@ detection:
         CommandLine|contains|all:
             - '\system\currentcontrolset\control\lsa'
             - 'DisableRestrictedAdmin'
-            - ' 0'
+            - ' 1'
     condition: selection
 falsepositives:
     - Unknown