diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
index 8e2b7bf82..4bedaab1b 100644
--- a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
@@ -14,6 +14,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         - FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
index 7e69dc9ea..fceeac479 100644
--- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
+++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
@@ -13,6 +13,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
index 46ab0a677..aa762c8ff 100644
--- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
+++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
@@ -13,6 +13,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
index bcd731435..d646e23cd 100644
--- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
+++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
@@ -13,6 +13,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|endswith: '\Microsoft\Protect\CREDHIST'