From c4ddd5693137b341c2f5cc3832f68f569efb5d8f Mon Sep 17 00:00:00 2001
From: tas_kmanager <35577498+tas-kmanager@users.noreply.github.com>
Date: Fri, 16 Oct 2020 09:30:20 -0400
Subject: [PATCH] Update
 sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml

---
 ..._always_install_elevated_msi_spawned_cmd_and_powershell.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
index d90dfdd02..56efab11b 100644
--- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml
@@ -23,9 +23,8 @@ detection:
             - 'msi'
         ParentImage|endswith: 
             - 'tmp'
-    condition: event_id and image and parent_image
+    condition: image and parent_image
 fields:
-    - EventID
     - Image
     - ParentImage
 falsepositives: