diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
index 66d0e60a1..8d9c31d21 100644
--- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
+++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml
@@ -14,8 +14,9 @@ logsource:
     product: windows
 detection:
     selection_1:
-        TargetObject|contains:
-            - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged
+        TargetObject|contains|all:
+            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
+            - '\NonPackaged'
     selection_2:
         TargetObject|contains:
             - microphone
@@ -31,4 +32,4 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
-level: high
\ No newline at end of file
+level: high