diff --git a/docs/attributes-registry/security-rule.md b/docs/attributes-registry/security-rule.md
index ff38eb0060..ada53fab99 100644
--- a/docs/attributes-registry/security-rule.md
+++ b/docs/attributes-registry/security-rule.md
@@ -17,8 +17,8 @@ Describes security rule attributes. Rule fields are used to capture the specific
 | <a id="security-rule-license" href="#security-rule-license">`security_rule.license`</a> | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="security-rule-name" href="#security-rule-name">`security_rule.name`</a> | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="security-rule-reference" href="#security-rule-reference">`security_rule.reference`</a> | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
-| <a id="security-rule-ruleset" href="#security-rule-ruleset">`security_rule.ruleset`</a> | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-ruleset-name" href="#security-rule-ruleset-name">`security_rule.ruleset.name`</a> | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="security-rule-uuid" href="#security-rule-uuid">`security_rule.uuid`</a> | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 | <a id="security-rule-version" href="#security-rule-version">`security_rule.version`</a> | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
 
-**[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
+**[1] `security_rule.reference`:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
diff --git a/model/security-rule/registry.yaml b/model/security-rule/registry.yaml
index 98f29a6fb2..bd4c9cb5ff 100644
--- a/model/security-rule/registry.yaml
+++ b/model/security-rule/registry.yaml
@@ -39,7 +39,7 @@ groups:
           The URL can point to the vendor’s documentation about the rule.
           If that’s not available, it can also be a link to a more general page describing this type of alert.
         examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS']
-      - id: security_rule.ruleset
+      - id: security_rule.ruleset.name
         type: string
         stability: experimental
         brief: >