diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml
index cf0bad0c5..98835de02 100644
--- a/rules/windows/builtin/win_susp_wmi_login.yml
+++ b/rules/windows/builtin/win_susp_wmi_login.yml
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection:
         EventID: 4624
-        ProcessName|endswith: "\\WmiPrvSE.exe"
+        ProcessName|endswith: '\WmiPrvSE.exe'
     condition: selection
 falsepositives:
     - Monitoring tools