diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
index ef96909c8..2b6808755 100644
--- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
@@ -26,7 +26,7 @@ detection:
         # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
         Image|endswith: '\TiWorker.exe'
         TargetFileName|endswith: '\uwfservicingscr.scr'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
index e062eef1e..9ec56128d 100644
--- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
+++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
@@ -30,7 +30,7 @@ detection:
         # This filter is to avoid a race condition FP with this specific ETW provider in aurora
         Provider_Name: Microsoft-Windows-Kernel-Process
         Image: null
-    condition: selection and not filter
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: low
diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml
index 53591c0de..bb1c2cf0e 100755
--- a/rules/windows/image_load/image_load_in_memory_powershell.yml
+++ b/rules/windows/image_load/image_load_in_memory_powershell.yml
@@ -57,7 +57,7 @@ detection:
         # This filter is to avoid a race condition FP with this specific ETW provider in aurora
         Provider_Name: Microsoft-Windows-Kernel-Process
         Image: null
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Used by some .NET binaries, minimal on user workstation.
     - Used by Microsoft SQL Server Management Studio
diff --git a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
index a9dc07539..76e97c2a4 100644
--- a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
+++ b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml
@@ -22,7 +22,7 @@ detection:
             - '\CompatTelRunner.exe'
         - ParentImage: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
         # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
-    condition: selection and not filter
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate programs executing PowerShell scripts
 level: low