diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
index 1ede21ddb..0b1a30517 100644
--- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
+++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/24"
 maturity = "production"
-updated_date = "2020/11/03"
+updated_date = "2020/11/09"
 
 [rule]
 author = ["Elastic"]
@@ -11,19 +11,24 @@ injection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 name = "Suspicious Endpoint Security Parent Process"
 risk_score = 47
 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
- process.name:(esensor.exe or "elastic-endpoint.exe" or "elastic-agent.exe") and
- not process.parent.executable:"C:\Windows\System32\services.exe"
+process where event.type in ("start", "process_started", "info") and
+ process.name : ("esensor.exe", "elastic-endpoint.exe") and
+ process.parent.executable != null and
+  /* add FPs here */
+ not process.parent.executable : ("C:\\Program Files\\Elastic\\*", 
+                                  "C:\\Windows\\System32\\services.exe", 
+                                  "C:\\Windows\\System32\\WerFault*.exe", 
+                                  "C:\\Windows\\System32\\wermgr.exe")
 '''
 
 
@@ -39,4 +44,3 @@ reference = "https://attack.mitre.org/techniques/T1036/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-