Update sysmon_susp_mic_cam_access.yml

rules/windows/registry_event/sysmon_susp_mic_cam_access.yml

@@ -14,8 +14,9 @@ logsource:
     product: windows
 detection:
     selection_1:
-        TargetObject|contains:
-            - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+        TargetObject|contains|all:
+            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
+            - '\NonPackaged'
     selection_2:
         TargetObject|contains:
             - microphone
@@ -31,4 +32,4 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
-level: high
+level: high