diff --git a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
index 18293b29f..a80d45a3d 100644
--- a/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml
@@ -21,7 +21,7 @@ detection:
         ParentCommandLine|contains|all:
             - '\svchost.exe'
             - 'termsvcs'
-    filter:
+    filter_img:
         Image|endswith:
             - '\rdpclip.exe'
             - ':\Windows\System32\csrss.exe'
@@ -29,7 +29,7 @@ detection:
             - ':\Windows\System32\winlogon.exe'
     filter_null:
         Image: null
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high