diff --git a/rules/windows/process_creation/proc_creation_win_susp_calc.yml b/rules/windows/process_creation/proc_creation_win_susp_calc.yml
index 7b4356ea7..9bfe793b6 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_calc.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_calc.yml
@@ -19,10 +19,10 @@ detection:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
             - 'C:\Windows\WinSxS\'
-    condition: selection not filter
+    condition: selection and not filter
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1036
+    - attack.defense_evasion
+    - attack.t1036