diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml
index 863ffb845..4079386c6 100644
--- a/rules/windows/execution_unusual_dns_service_file_writes.toml
+++ b/rules/windows/execution_unusual_dns_service_file_writes.toml
@@ -29,7 +29,8 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "query"
 
 query = '''
-event.category:file and process.name:dns.exe and
+event.category:file and process.name:dns.exe and 
+  event.type:(creation or deletion or change) and
   not file.name:dns.log
 '''