From f3171177d81436b00a693a2425d9f799df43ecaa Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 18 Jan 2023 10:24:04 +0100
Subject: [PATCH] fix: apply suggestions from code review

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../powershell/powershell_script/posh_ps_audio_exfiltration.yml | 2 +-
 .../process_creation/proc_creation_win_susp_psloglist.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
index 7ed9e5e94..7c42b85da 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
@@ -10,7 +10,7 @@ tags:
     - attack.exfiltration
 logsource:
     product: windows
-    service: powershell
+    category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_main:
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
index 7289529c2..7b47aaf7f 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
@@ -25,7 +25,7 @@ detection:
             - '\psloglist.exe'
             - '\psloglist64.exe'
     selection_cli_eventlog:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' security'
             - ' application'
             - ' system'