diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml
index 989deece..5fd340fb 100644
--- a/rules/linux/macos_find_cred_in_files.yml
+++ b/rules/linux/macos_find_cred_in_files.yml
@@ -13,8 +13,9 @@ logsource:
     category: process_creation
 detection:
     selection1:
-        CommandLine|contains|all:
-          - 'grep'
+        ProcessName|endswith:
+          - '/grep'
+        CommandLine|contains:
           - 'password'
     selection2:
         CommandLine|contains: 'laZagne'