Updated Rule

Completed the following updates on the rule:
- Modified the title
- incremented 4 spaces for references and tags
- updated false positives
- updated author
- updated description in detection section.

rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml

@@ -1,15 +1,15 @@
-title: Monitor Excel from proxy executing regsvr32 with payload (Security Event Logs)
+title: Excel Proxy Executing Regsvr32 With Payload
 description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
 references:
-- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: "Idea by: Vadim Khrykov"
+    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)"
 tags:
-- attack.t1204.002
-- attack.t1047
-- attack.t1218.010
-- attack.execution
-- attack.defence_evasion
+    - attack.t1204.002
+    - attack.t1047
+    - attack.t1218.010
+    - attack.execution
+    - attack.defence_evasion
 status: experimental
 Date: 2021/23/8
 logsource:
@@ -43,5 +43,5 @@ detection:
       - 'call' 
   condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5
 falsepositives:
-- ""
-level: high
+- Unknown
+level: high