diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml
index c167ff6ed..a64f96298 100755
--- a/rules/windows/process_creation/win_apt_chafer_mar18.yml
+++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml
@@ -54,11 +54,6 @@ detection:
         TargetObject|endswith: 
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
-        EventType: 'SetValue'
-    selection_reg2:
-        TargetObject|endswith: '\Control\SecurityProviders\WDigest\UseLogonCredential'
-        EventType: 'SetValue'
-        Details: 'DWORD (0x00000001)'
 ---
 logsource:
     category: process_creation
diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
index bf76b00d8..dedf925a5 100644
--- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
+++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml
@@ -18,8 +18,6 @@ detection:
     selection:
         TargetObject:
             - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-        EventType:
-            - SetValue
     condition: selection
 falsepositives:
     - unknown
diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
index e5e17ef11..8a02f889e 100644
--- a/rules/windows/registry_event/sysmon_cve-2020-1048.yml
+++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml
@@ -18,10 +18,6 @@ logsource:
 detection:        
     selection:
         TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
-        EventType:
-            - SetValue
-            - DeleteValue
-            - CreateValue
         Details|contains:
             - '.dll'
             - '.exe'
diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml
index fb3975c6a..27e6957c5 100644
--- a/rules/windows/registry_event/sysmon_reg_office_security.yml
+++ b/rules/windows/registry_event/sysmon_reg_office_security.yml
@@ -19,10 +19,6 @@ detection:
             - '\Security\Trusted Documents\TrustRecords'
             - '\Security\AccessVBOM'
             - '\Security\VBAWarnings'
-        EventType:
-            - SetValue
-            - DeleteValue
-            - CreateValue
     condition: sec_settings
 falsepositives:
     - Valid Macros and/or internal documents
diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
index fe6b5f5a5..c8404f2cc 100644
--- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml
@@ -16,9 +16,6 @@ detection:
     selection:       
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit'
         Details|contains: 'MonitorProcess'
-        EventType:
-            - SetValue
-            - CreateValue
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
index bafd3cbd2..66a5dc12a 100644
--- a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
+++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml
@@ -15,9 +15,6 @@ logsource:
 detection:
     selection:       
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
-        EventType:
-            - SetValue
-            - CreateValue
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml
index aff6c60e7..6e74aedb5 100644
--- a/rules/windows/registry_event/sysmon_runonce_persistence.yml
+++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml
@@ -15,7 +15,6 @@ logsource:
     category: registry_event
 detection:
     selection:
-      EventType: 'SetValue'
       TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components'
       TargetObject|endswith: '\StubPath'
     condition: selection
diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
index 667c8448a..7f23a3298 100755
--- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
+++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml
@@ -31,7 +31,6 @@ detection:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
-        EventType: 'SetValue'
     condition: 1 of them
 ---
 logsource:
diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
index dea029f4f..883c5863a 100755
--- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml
@@ -13,7 +13,6 @@ detection:
     selection_reg1:
         TargetObject|contains:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
-        EventType: SetValue
     selection_reg2:
         - TargetObject|contains|all:
             - '\Image File Execution Options\'
diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
index 67963ff93..6cdb6cb24 100644
--- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
+++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml
@@ -19,7 +19,6 @@ detection:
             - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
             - '\Command'
         Details|contains: '.exe'
-        EventType: 'SetValue'
     filter:
         Details|contains: 
             - '\system32\CompatTelRunner.exe'
diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml
index 51624a3a6..63080759e 100644
--- a/tools/config/generic/windows-audit.yml
+++ b/tools/config/generic/windows-audit.yml
@@ -14,10 +14,13 @@ logsources:
         product: windows
         conditions:
             EventID: 4657
+            OperationType:
+                - 'New registry value created'
+                - 'Existing registry value modified'
         rewrite:
             product: windows
             service: security
 fieldmappings:
     Image: NewProcessName
     ParentImage: ParentProcessName
-    EventType: OperationType
+    Details: NewValue