diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml
index f403e2ad6..e3177d515 100644
--- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml
+++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/07"
 maturity = "production"
-updated_date = "2021/10/07"
+updated_date = "2022/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ process where event.code == "10" and
   winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
   
    /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
-  winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and
+  winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
   
    /* case of lsass crashing */
   not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe")