diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml
similarity index 68%
rename from rules/windows/process_creation/win_data_compressed.yml
rename to rules/windows/process_creation/win_data_compressed_with_rar.yml
index 469a946a2..de3ce76ac 100644
--- a/rules/windows/process_creation/win_data_compressed.yml
+++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml
@@ -2,19 +2,20 @@ title: Data Compressed
 status: experimental
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
 author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
 references:
-    - https://attack.mitre.org/techniques/T1002/
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
-        Image:
-            - '*\rar.exe'
-        CommandLine:
-            - '* a -r *'
-    condition: selection1
+    selection:
+        Image: '*\rar.exe'
+        CommandLine|contains|all:
+            - ' a '
+            - '-r'
+    condition: selection
 fields:
     - Image
     - CommandLine
@@ -24,7 +25,7 @@ fields:
     - ParentProcessGuid
     - ParentCommandLine
 falsepositives:
-    - highly likely if default archivator in the monitored environment is rar, and even if not
+    - highly likely if rar is default archiver in the monitored environment
 level: low
 tags:
     - attack.exfiltration