diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
index 391ed94ef..309cfedf9 100644
--- a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
+++ b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
@@ -13,11 +13,12 @@ logsource:
     product: windows
     service: system
 detection:
-    keywords:
-        - '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
-        - '2147943140'
-        - 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
-    condition: all of keywords
+    selection:
+        EventID: 10001
+        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
+        param2: '2147943140'
+        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
+    condition: selection
 falsepositives:
     - Unknown
 level: high