diff --git a/rules/windows/process_creation/proc_creation_win_masqueraded_svchost.yml b/rules/windows/process_creation/proc_creation_win_masqueraded_svchost.yml
index 3c469ccaab6..9ddeb4f3595 100644
--- a/rules/windows/process_creation/proc_creation_win_masqueraded_svchost.yml
+++ b/rules/windows/process_creation/proc_creation_win_masqueraded_svchost.yml
@@ -17,12 +17,12 @@ logsource:
     product: windows
 detection:
     selection:
-      Image|endswith: '\svchost.exe'
+        Image|endswith: '\svchost.exe'
     filter:
-      - Image|contains:
-          - '\Windows\System32\' # C:\WINDOWS\system32\random\svchost.exe will evade this logic
-          - '\Windows\SysWOW64\'
-      - OriginalFileName: 'svchost.exe'
+        - Image|contains:
+              - '\Windows\System32\' # C:\WINDOWS\system32\random\svchost.exe will evade this logic
+              - '\Windows\SysWOW64\'
+        - OriginalFileName: 'svchost.exe'
     condition: selection_image and not filter
 falsepositives:
     - Unknown