diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml
index d4040c6ab..438d33ed7 100644
--- a/rules/windows/process_creation/win_proc_wrong_parent.yml
+++ b/rules/windows/process_creation/win_proc_wrong_parent.yml
@@ -9,11 +9,7 @@ references:
     - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
     - https://attack.mitre.org/techniques/T1036/
 date: 2019/02/23
-modified: 2021/11/24
-tags:
-    - attack.defense_evasion
-    - attack.t1036.003
-    - attack.t1036.005
+modified: 2022/02/14
 logsource:
     category: process_creation
     product: windows
@@ -29,21 +25,26 @@ detection:
             - '\csrss.exe'
             - '\wininit.exe'
             - '\winlogon.exe'
-    filter1:
+    filter_sys:
         - ParentImage|endswith: 
             - '\SavService.exe'
             - '\ngen.exe'
         - ParentImage|contains:
             - '\System32\'
             - '\SysWOW64\'
-    filter2:
+    filter_msmpeng:
         ParentImage|contains:
             - '\Windows Defender\'
             - '\Microsoft Security Client\'
         ParentImage|endswith: '\MsMpEng.exe'
     filter_null:
-        ParentImage: null
-    condition: selection and not filter1 and not filter2 and not filter_null
+        - ParentImage: null
+        - ParentImage: '-'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Some security products seem to spawn these
 level: low
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
+    - attack.t1036.005
\ No newline at end of file