diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml
index d591f69c0..1ee5a15cc 100644
--- a/rules/windows/builtin/security/win_account_discovery.yml
+++ b/rules/windows/builtin/security/win_account_discovery.yml
@@ -33,7 +33,7 @@ detection:
           - '-555'
         - ObjectName|contains: 'admin'
     filter:
-        - SubjectUserName|endswith: '$'
+        SubjectUserName|endswith: '$'
     condition: selection and selection_object and not filter
 falsepositives:
     - If source account name is not an admin then its super suspicious