diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
index b5e13240c..f1ec2eb5e 100644
--- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
+++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:(MSBuild.exe or msxsl.exe)
+event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)
 '''
 
 
diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml
index fd7783681..b4f9a3d60 100644
--- a/rules/windows/defense_evasion_via_filter_manager.toml
+++ b/rules/windows/defense_evasion_via_filter_manager.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:fltMC.exe
+event.category:process and event.type:(start or process_started) and process.name:fltMC.exe
 '''
 
 
diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml
index 3903f5a14..f2b17c05f 100644
--- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml
+++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:tasklist.exe
+event.category:process and event.type:(start or process_started) and process.name:tasklist.exe
 '''
 
 
diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml
index 047062574..02f9f9982 100644
--- a/rules/windows/discovery_whoami_command_activity.toml
+++ b/rules/windows/discovery_whoami_command_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-process.name:whoami.exe and event.code:1
+event.category:process and event.type:(start or process_started) and process.name:whoami.exe
 '''
 
 
diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml
index 2d1e90486..a136a0a4b 100644
--- a/rules/windows/execution_via_compiled_html_file.toml
+++ b/rules/windows/execution_via_compiled_html_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:hh.exe
+event.category:process and event.type:(start or process_started) and process.name:hh.exe
 '''
 
 
diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
index cedac9314..64d5a2269 100644
--- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
+++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/12"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
+event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
 '''
 
 
diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml
index 3106fecb9..cc266a322 100644
--- a/rules/windows/persistence_via_application_shimming.toml
+++ b/rules/windows/persistence_via_application_shimming.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/02/18"
+updated_date = "2020/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"]
 type = "query"
 
 query = '''
-event.code:1 and process.name:sdbinst.exe
+event.category:process and event.type:(start or process_started) and process.name:sdbinst.exe
 '''