diff --git a/rules/credential_access_lsass_memory_dump_via_wer.yml b/rules/credential_access_lsass_memory_dump_via_wer.yml
index 999ede205..b8f8357d7 100644
--- a/rules/credential_access_lsass_memory_dump_via_wer.yml
+++ b/rules/credential_access_lsass_memory_dump_via_wer.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.1
+version: 1.0.2
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -21,7 +21,7 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process and ps.child.name in ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
-    |write_minidump_file and file.path icontains 'lsass'| by ps.uuid
+    |spawn_process and ps.child.name iin ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
+    |create_file and file.path icontains 'lsass'| by ps.uuid
 
 min-engine-version: 2.4.0