diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
index 4d3178252..55e39ac5e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml
@@ -30,7 +30,7 @@ detection:
     condition: all of selection_* and not filter
 falsepositives:
     - Some FP is expected with some installers
-level: high
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1027