Transformed rule

I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description

rules/windows/builtin/win_proc_wrong_parent.yml

@@ -1,6 +1,6 @@
-title: Windows processes with wrong parent
+title: Windows Processes Suspicious Parent
 status: experimental
-description: Detect scenarios when malicious program is disguised as legitimate process
+description: Detect suspicious parent processes of well-known Windows processes
 author: 'vburov'
 references:
     - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
@@ -14,34 +14,33 @@ logsource:
     service: sysmon
     definition: 'Requirements: Sysmon'
 detection:
-    selection:
+    selection1:
         EventID: 1
-    filter1:
         Image:
             - '*\svchost.exe'
             - '*\taskhost.exe'
+    filter1:
         ParentImage:
             - '*\services.exe'
-    filter2:
+    selection2:
+        EventID: 1
         Image:
             - '*\lsm.exe'
             - '*\lsass.exe'
             - '*\services.exe'
+    filter2:
         ParentImage:
             - '*\wininit.exe'
-    filter3:
+    selection3:
+        EventID: 1
         Image:
             - '*\csrss.exe'
             - '*\wininit.exe'
             - '*\winlogon.exe'
+    filter3:
         ParentImage:
             - '*\smss.exe'
-    filter4:
+    condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) or ( selection3 and not filter3 )
-        Image:
-            - '*\explorer.exe'
-        ParentImage:
-            - '*\userinit.exe'
-    condition: selection and not ( filter1 or filter2 or filter3 or filter4 )
 falsepositives:
-    - None
+    - Unknown please report back
 level: high