diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
index e25b102e..5c79b2b6 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection_image1:
-        ParentImage|endswith:
+        - ParentImage|endswith:
             - '\mshta.exe'
             - '\rundll32.exe'
             - '\regsvr32.exe'
@@ -45,17 +45,14 @@ detection:
             - '\php-cgi.exe'
             - '\jbosssvc.exe'
             - "MicrosoftEdgeSH.exe"
-    selection_image2:
-        ParentImage|contains: "tomcat"
-
-    filters:
+        - ParentImage|contains: "tomcat"
+    selection_powershell:
         - CommandLine|contains:
               - "powershell"
               - "pwsh"
         - Description: "Windows PowerShell"
         - Product: "PowerShell Core 6"
-
-    condition: (1 of selection_image*) and (1 of filters)
+    condition: all of them
 falsepositives:
     - Other scripts
 level: medium