diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
index a3dc360ed..fa78485a0 100644
--- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
+++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -15,8 +15,8 @@ logsource:
     category: image_load
 detection:
     selection:
-        Description: 'system.management.automation'
-        ImageLoaded|contains: 'system.management.automation'
+        Description: 'System.Management.Automation'
+        ImageLoaded|contains: 'System.Management.Automation'
     filter:
         Image|endswith: '\powershell.exe'
     condition: selection and not filter
diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
index b0d0303f9..bb3cbec63 100755
--- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
+++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -16,8 +16,8 @@ logsource:
     product: windows
 detection:
     selection: 
-        Description: 'system.management.automation'
-        ImageLoaded|contains: 'system.management.automation'
+        Description: 'System.Management.Automation'
+        ImageLoaded|contains: 'System.Management.Automation'
     condition: selection
 fields:
     - ComputerName