diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
index 955d6f6f6..d52158f85 100644
--- a/rules/windows/process_creation/win_susp_procs_req_dlls.yml
+++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml
@@ -22,7 +22,7 @@ detection:
             - '\regsvr32.exe'
     filter1:
         ParentImage|contains: 
-            - '\AppData\Local\Temp\'
+            - '\AppData\Local\'
             - '\Microsoft\Edge\'
     condition: selection and not filter1
 fields:
diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
index f9a961510..b45e3b4e0 100644
--- a/rules/windows/process_creation/win_susp_rundll32_no_params.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml
@@ -16,7 +16,7 @@ detection:
         ParentImage|endswith: '\svchost.exe'
     filter2:
         ParentImage|contains: 
-            - '\AppData\Local\Temp\'
+            - '\AppData\Local\'
             - '\Microsoft\Edge\'
     condition: selection and not filter1 and not filter2
 fields: