diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml
index fdc094ed..35ff19a7 100644
--- a/rules/windows/builtin/win_susp_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml
@@ -13,6 +13,7 @@ logsource:
 detection:
     selection:
         EventID: 104
+        Source: Microsoft-Windows-Eventlog
     condition: selection
 falsepositives:
     - Unknown