From b8b2c759f81c92ceb46d6f23b3c3b070238078b9 Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Wed, 6 Aug 2025 11:01:55 -0500
Subject: [PATCH] Update 113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml

---
 Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml b/Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
index 2c839a5..67a654f 100644
--- a/Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
+++ b/Windows_Sysmon/113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
@@ -440,7 +440,7 @@
   <group>sysmon_event_14,</group>
   </rule>
   <!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
-<rule id="113141" level="12">
+<rule id="113141" level="10">
   <if_sid>61616</if_sid>
   <field name="win.eventdata.RuleName">^technique_id=T1113,technique_name=Recall Enabled via Registry Delete$</field>
   <description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>