diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml
index d61ba1b64..d459f8167 100644
--- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
+++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
@@ -22,7 +22,7 @@ detection:
     EventType: WMIExecution
     WMIcommand|contains: 'Win32_Process\:\:Create'
   selection2:
-    - Image|endswith:
+    Image|endswith:
       - '\winword.exe'
       - '\excel.exe'
       - '\powerpnt.exe'