diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml
index 1184ebc34..59c3361fc 100644
--- a/rules/windows/process_creation/win_netsh_fw_add.yml
+++ b/rules/windows/process_creation/win_netsh_fw_add.yml
@@ -15,13 +15,13 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         CommandLine:
             - '*netsh*'
+    selection2:
         CommandLine:
             - '*firewall add*'
-            - '*advfirewall firewall add*'
-    condition: selection
+    condition: selection1 and selection2
 falsepositives:
     - Legitimate administration
 level: medium