From d96bd0d9f397de2f3dbcdf1de196af5f84ee154c Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 15:54:21 -0300
Subject: [PATCH] Update win_susp_wmi_login.yml

---
 rules/windows/builtin/win_susp_wmi_login.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml
index e9627a54e..cf0bad0c5 100644
--- a/rules/windows/builtin/win_susp_wmi_login.yml
+++ b/rules/windows/builtin/win_susp_wmi_login.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventID: 4624
-        ProcessName: "*\\WmiPrvSE.exe"
+        ProcessName|endswith: "\\WmiPrvSE.exe"
     condition: selection
 falsepositives:
     - Monitoring tools