diff --git a/rules/windows/builtin/system/win_system_susp_service_installation.yml b/rules/windows/builtin/system/win_system_susp_service_installation.yml
index d2f4a5a3a..b7a9c0d96 100644
--- a/rules/windows/builtin/system/win_system_susp_service_installation.yml
+++ b/rules/windows/builtin/system/win_system_susp_service_installation.yml
@@ -44,6 +44,8 @@ detection:
             - ' aQBlAHgA' # PowerShell encoded commands
     filter_thor_remote:
         ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
+    filter_defender_def_updates:
+        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
     condition: selection and ( suspicious1 or all of suspicious2* ) and not 1 of filter_*
 falsepositives:
     - Unknown