diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
index 82a9866e3..dc5a6bedb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
@@ -15,9 +15,9 @@ logsource:
     definition: Script block logging must be enabled
 detection:
     selection_remove:
-        CommandLine|contains: 'Remove-MpPreference'
+        ScriptBlockText|contains: 'Remove-MpPreference'
     selection_tamper:
-        CommandLine|contains:
+        ScriptBlockText|contains:
             - '-ControlledFolderAccessProtectedFolders '
             - '-AttackSurfaceReductionRules_Ids '
             - '-AttackSurfaceReductionRules_Actions '