diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
index bb110c4d2..f26e06957 100644
--- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
+++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml
@@ -25,6 +25,8 @@ detection:
         CommandLine|contains:
             - '/name:'
             - '-name:'
+    filter_iis_setup:
+        ParentImage: 'C:\Windows\System32\inetsrv\iissetup.exe'
     condition: all of selection_*
 falsepositives:
     - Unknown as it may vary from organisation to organisation how admins use to install IIS modules