From babdecc6424ed9ec4b9ef634c4b7483500a01207 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 10 Aug 2022 15:25:10 +0100
Subject: [PATCH] Update proc_creation_win_ntfs_short_name_use_image.yml

---
 .../proc_creation_win_ntfs_short_name_use_image.yml             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml
index 5826c2444..a78bfa522 100644
--- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml
+++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml
@@ -38,7 +38,7 @@ detection:
             - '~2.hta'
     filter:
         ParentImage|endswith: '\WebEx\WebexHost.exe'
-    condition: selection
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high