diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
index 72e8b858e..258254ccf 100644
--- a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
+++ b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml
@@ -15,5 +15,5 @@ detection:
         Image: '*\FLTLDR.exe*'
     condition: selection
 falsepositives:
-    - Unknown
-level: critical
+    - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
+level: medium