diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml
index 2263db78e..27edc3817 100644
--- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml
+++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml
@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/12
+modified: 2022/08/22
 logsource:
     category: process_creation
     product: windows
@@ -20,14 +20,18 @@ detection:
         Image|contains:
             - '~1\'
             - '~2\'
-    filter:
+    filter_other:
         - ParentImage:
             - C:\Windows\System32\Dism.exe
             - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long)
         - ParentImage|endswith:
             - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
             - '\thor\thor64.exe'
-    condition: selection and not filter
+    filter_installshield:
+        - Product: 'InstallShield (R)'
+        - Description: 'InstallShield (R) Setup Engine'
+        - Company: 'InstallShield Software Corporation'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
 level: high