diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml
index 02c1d946c..8b51338a7 100644
--- a/rules/windows/process_creation/win_susp_svchost.yml
+++ b/rules/windows/process_creation/win_susp_svchost.yml
@@ -18,8 +18,9 @@ detection:
             - '*\MsMpEng.exe'
             - '*\Mrt.exe'
             - '*\rpcnet.exe'
-            - null
-    condition: selection and not filter
+    filter_null:
+        ParentImage: null
+    condition: selection and not filter and not filter_null
 fields:
     - CommandLine
     - ParentCommandLine