diff --git a/rules/windows/process_creation/win_renamed_meg.yml b/rules/windows/process_creation/win_renamed_meg.yml
index aefc1e94b..8e87bf48d 100644
--- a/rules/windows/process_creation/win_renamed_meg.yml
+++ b/rules/windows/process_creation/win_renamed_meg.yml
@@ -13,7 +13,7 @@ logsource:
     product: windows
     service: sysmon # require sysmon version >= 10.0
 detection:
-    selection:
+    selection_sysmon:
         EventID: 
             - '1'
         OriginalFileName:
@@ -21,18 +21,18 @@ detection:
     filter:
         Image|endswith:
             - '\meg.exe'
-    condition: selection and not filter
+    condition: selection_sysmon and not filter
 ---
 logsource:
     product: windows
     category: process_creation
 detection:
-    selection:
+    selection_proc:
         ParentImage|endswith:
             - '\explorer.exe'
         CommandLine|contains:
             - 'C:\Windows\Temp\meg.exe'
-     condition: selection
+     condition: selection_proc
 falsepositives:
     - Software that illegaly integrates MegaSync in a renamed form
     - Administrators that have renamed MegaSync