diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml
index 37a9827c4..e3b04a188 100644
--- a/rules/windows/sysmon/sysmon_cmstp_execution.yml
+++ b/rules/windows/sysmon/sysmon_cmstp_execution.yml
@@ -31,6 +31,7 @@ detection:
     selection2:
         EventID: 12
         TargetObject: '*\cmmgr32.exe*'
+        EventType: 'CreateKey'
     # Registry Object Value Set
     selection3:
         EventID: 13
diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
index 1b3c4afd0..ea7a4ea47 100644
--- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
+++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml
@@ -18,6 +18,7 @@ detection:
       - EventID: 12 # key create
         # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
         TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
+        EventType: 'CreateKey'  # we don't want deletekey
       - EventID: 14  # key rename
         NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
     condition: selection
diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
index 65d99b28d..e0131f927 100644
--- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
+++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml
@@ -16,6 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 12
+        EventType: 'CreateKey'  # don't want DeleteKey events
         TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs'
     condition: selection
 falsepositives: