From d76bdf71df6fe2f85a978384f094283b571f188e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Oct 2022 10:48:52 +0200
Subject: [PATCH] Update win_lpe_indicators_tabtip.yml

---
 .../builtin/system/win_lpe_indicators_tabtip.yml      | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
index 391ed94ef..309cfedf9 100644
--- a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
+++ b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
@@ -13,11 +13,12 @@ logsource:
     product: windows
     service: system
 detection:
-    keywords:
-        - '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
-        - '2147943140'
-        - 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
-    condition: all of keywords
+    selection:
+        EventID: 10001
+        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
+        param2: '2147943140'
+        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
+    condition: selection
 falsepositives:
     - Unknown
 level: high