diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
index 077793c86..92d882d23 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_code_integrity_defender_load_unsigned_dll.yml
@@ -15,10 +15,10 @@ logsource:
 detection:
     selection:
         EventID: 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
-        ProcessPath|endswith: 
-          - '\MpCmdRun.exe'
-          - '\NisSrv.exe'
-        Image|endswith: '.dll'
+        ProcessPath|endswith:
+            - '\MpCmdRun.exe'
+            - '\NisSrv.exe'
+        ImageName|endswith: '.dll'
     condition: selection
 falsepositives:
     - Unknown