diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml
index 5f9e15896..d61ba1b64 100644
--- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
+++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml	
@@ -20,12 +20,12 @@ detection:
   selection1:
     EventLog: EDR
     EventType: WMIExecution
-    WMIcommand: '*Win32_Process\:\:Create*'
+    WMIcommand|contains: 'Win32_Process\:\:Create'
   selection2:
-    - Image:
-      - '*\winword.exe'
-      - '*\excel.exe'
-      - '*\powerpnt.exe'
+    - Image|endswith:
+      - '\winword.exe'
+      - '\excel.exe'
+      - '\powerpnt.exe'
   condition: selection1 AND selection2
 falsepositives:
 - Unknown