diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map
index c690b0fd..6cedbfdc 100644
--- a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map
@@ -27,14 +27,14 @@ Maps:
     Values:
       -
         Name: ProcessId
-        Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
+        Value: "/Event/EventData/Data[@Name=\"NewProcessId\"]"
   -
     Property: PayloadData3
     PropertyValue: "Parent PID: %ProcessId%"
     Values:
       -
         Name: ProcessId
-        Value: "/Event/EventData/Data[@Name=\"NewProcessId\"]"
+        Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
   -
     Property: PayloadData4
     PropertyValue: "Mandatory label: %MandatoryLabel%"