diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml
index 5bb8bd700..558a109e1 100644
--- a/rules/windows/builtin/win_susp_sdelete.yml
+++ b/rules/windows/builtin/win_susp_sdelete.yml
@@ -28,9 +28,9 @@ detection:
             - 4656
             - 4663
             - 4658
-        ObjectName:
-            - '*.AAA'
-            - '*.ZZZ'
+        ObjectName|endswith:
+            - '.AAA'
+            - '.ZZZ'
     condition: selection
 falsepositives:
     - Legitime usage of SDelete