diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_recon.yml
similarity index 87%
rename from rules/windows/process_creation/win_nltest_query.yml
rename to rules/windows/process_creation/win_nltest_recon.yml
index 2a095dbab..f025c3210 100644
--- a/rules/windows/process_creation/win_nltest_query.yml
+++ b/rules/windows/process_creation/win_nltest_recon.yml
@@ -1,4 +1,5 @@
-title: Nltest Usage
+title: Detect Recon Activity with nltest
+id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
 description: Detects nltest commands that can be used for information discovery
 references:
 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
@@ -9,7 +10,7 @@ references:
 status: experimental
 author: Craig Young, oscd.community, Georg Lauenstein
 date: 2021/07/24
-modified: 2021/08/17
+modified: 2021/08/19
 tags:
   - attack.discovery
   - attack.T1016
@@ -32,7 +33,7 @@ detection:
             - '/user'
     condition: selection_nltest AND (selection_recon1 OR selection_recon2)
 falsepositives:
-    - To be determined
+    - Legitimate administration use but user must be check out
 level: medium
 fields:
     - Image