From 22842e8d74ab60c990b03fc2c8dd5ddc155f74d5 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 18 Jan 2025 13:03:20 +0100
Subject: [PATCH] Update proc_creation_lnx_rsync_shell_spawn.yml

---
 .../proc_creation_lnx_rsync_shell_spawn.yml                 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
index 0357c0221cf..075481a96a2 100644
--- a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml
@@ -16,11 +16,11 @@ logsource:
     category: process_creation
     product: linux
 detection:
-    selection:
+    selection_parent:
         ParentImage|endswith:
             - '/rsync'
             - '/rsyncd'
-    selection_cli:
+    selection_shells:
         Image|endswith:
             - '/ash'
             - '/bash'
@@ -32,7 +32,7 @@ detection:
             - '/zsh'
     filter_expected:
         CommandLine|contains: ' -e '
-    condition: selection and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high