diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml
index 658a65949..9ef34bfaa 100644
--- a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml
+++ b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml
@@ -6,8 +6,10 @@ references:
     - https://twitter.com/_felamos/status/1179811992841797632
 author: Beyu Denis, oscd.community (rule), @_felamos (idea)
 date: 2019/10/12
+modified: 2019/11/04
 tags:
-    - attack.persistence
+    - attack.defense_evasion
+    - attack.execution
     - attack.t1218
 level: critical
 logsource:
@@ -16,8 +18,7 @@ logsource:
 detection:
     selection:
         Image: '*\devtoolslauncher.exe'
-        CommandLine: '*LaunchForDeploy*'
+        CommandLine|contains: 'LaunchForDeploy'
     condition: selection
 falsepositives:
-    - Unknown
-
+    - Legitimate use of devtoolslauncher.exe by legitimate user