From f050cedf929cda0ee40d0bdfa3f9f9c9ab06643d Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Tue, 20 Oct 2020 21:17:59 +0200
Subject: [PATCH] update syntax to re-run the test once more...

---
 rules/windows/process_creation/win_regedit_export_keys.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml
index f40cc2436..70bc2a50f 100644
--- a/rules/windows/process_creation/win_regedit_export_keys.yml
+++ b/rules/windows/process_creation/win_regedit_export_keys.yml
@@ -16,8 +16,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regedit.exe'
-        CommandLine|contains:
-            - ' /E '
+        CommandLine|contains: ' /E '
         filter_1: # filters to avoid intersection with critical keys rule
             CommandLine|contains:
                 - 'hklm'