From 918bcfbf8aff74203c208c052af89d6d68a6ef2c Mon Sep 17 00:00:00 2001
From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com>
Date: Thu, 9 Sep 2021 21:04:09 -0600
Subject: [PATCH] Completed requested changes

  selection2:
    Image|endswith:
---
 ..._Process Create_command_execution_by_Office_Applications.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml
index d61ba1b64..d459f8167 100644
--- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
+++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
@@ -22,7 +22,7 @@ detection:
     EventType: WMIExecution
     WMIcommand|contains: 'Win32_Process\:\:Create'
   selection2:
-    - Image|endswith:
+    Image|endswith:
       - '\winword.exe'
       - '\excel.exe'
       - '\powerpnt.exe'