diff --git a/rules/windows/sysmon/sysmon_termserv_proc_spawn.yml b/rules/windows/process_creation/sysmon_termserv_proc_spawn.yml
similarity index 100%
rename from rules/windows/sysmon/sysmon_termserv_proc_spawn.yml
rename to rules/windows/process_creation/sysmon_termserv_proc_spawn.yml
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index 24dd92fa9..ed94fc3d0 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -15,30 +15,30 @@ logsources:
     product: windows
     service: application
     conditions:
-      EventLog: Application
+      Channel: Application
   windows-security:
     product: windows
     service: security
     conditions:
-      EventLog: Security
+      Channel: Security
   windows-sysmon:
     product: windows
     service: sysmon
     conditions:
-      EventLog: Microsoft-Windows-Sysmon
+      Channel: Microsoft-Windows-Sysmon
   windows-dns-server:
     product: windows
     service: dns-server
     conditions:
-      EventLog: 'DNS Server'
+      Channel: 'DNS Server'
   windows-driver-framework:
     product: windows
     service: driver-framework
     conditions:
-      source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+      Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
   windows-dhcp:
     product: windows
     service: dhcp
     conditions:
-      source: 'Microsoft-Windows-DHCP-Server/Operational'
+      Channel: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: logstash-*