diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
index 5d930fdb3..d19456a86 100644
--- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
@@ -63,7 +63,7 @@ detection:
             - C:\Windows\SysNative\
             - C:\Program Files\
             - C:\Windows\Temp\asgard2-agent\
-            - C:\ProgramData\
+            - C:\ProgramData\Microsoft\Windows Defender\Platform\
     filter2:
         ProcessName|startswith:
             - 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions