diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml
index ff5a1f4c..b0429c53 100644
--- a/rules/windows/builtin/win_net_ntlm_downgrade.yml
+++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml
@@ -18,14 +18,14 @@ logsource:
     service: security
     definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
 detection:
-    selection2:
+    selection:
         EventID: 4657
         ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*'
         ObjectValueName: 
             - 'LmCompatibilityLevel'
             - 'NtlmMinClientSec'
             - 'RestrictSendingNTLMTraffic'
-    condition: 1 of them
+    condition: selection
 falsepositives:
     - Unknown
 level: critical
\ No newline at end of file