diff --git a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml b/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml
index e2ede2aeb..9384e093f 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml
@@ -1,27 +1,27 @@
 title: Suspicious MsiExec Directory
 id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
 status: test
-description: Detects suspicious msiexec process starts in an uncommon directory
+description: Detects execution of msiexec from an uncommon directory
 author: Florian Roth
 references:
-  - https://twitter.com/200_okay_/status/1194765831911215104
+    - https://twitter.com/200_okay_/status/1194765831911215104
 date: 2019/11/14
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\msiexec.exe'
-  filter:
-    Image|startswith:
-      - 'C:\Windows\System32\'
-      - 'C:\Windows\SysWOW64\'
-      - 'C:\Windows\WinSxS\'
-  condition: selection and not filter
+    selection:
+        Image|endswith: '\msiexec.exe'
+    filter:
+        Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    condition: selection and not filter
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1036.005
+    - attack.defense_evasion
+    - attack.t1036.005