From 10488512aedceaec1105a4dfd637fa1598f03d66 Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Tue, 22 Jun 2021 22:27:34 +0700
Subject: [PATCH] Update win_renamed_meg.yml

---
 rules/windows/process_creation/win_renamed_meg.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/win_renamed_meg.yml b/rules/windows/process_creation/win_renamed_meg.yml
index aefc1e94b..8e87bf48d 100644
--- a/rules/windows/process_creation/win_renamed_meg.yml
+++ b/rules/windows/process_creation/win_renamed_meg.yml
@@ -13,7 +13,7 @@ logsource:
     product: windows
     service: sysmon # require sysmon version >= 10.0
 detection:
-    selection:
+    selection_sysmon:
         EventID: 
             - '1'
         OriginalFileName:
@@ -21,18 +21,18 @@ detection:
     filter:
         Image|endswith:
             - '\meg.exe'
-    condition: selection and not filter
+    condition: selection_sysmon and not filter
 ---
 logsource:
     product: windows
     category: process_creation
 detection:
-    selection:
+    selection_proc:
         ParentImage|endswith:
             - '\explorer.exe'
         CommandLine|contains:
             - 'C:\Windows\Temp\meg.exe'
-     condition: selection
+     condition: selection_proc
 falsepositives:
     - Software that illegaly integrates MegaSync in a renamed form
     - Administrators that have renamed MegaSync