diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml
index d8e3384a6..fb2a5fdf2 100644
--- a/rules/windows/process_creation/win_susp_csc_folder.yml
+++ b/rules/windows/process_creation/win_susp_csc_folder.yml
@@ -24,9 +24,11 @@ detection:
             - '*\Windows\Temp\\*'
     filter:
         ParentImage: 
-            - 'C:\Program Files*'
-            - '*\sdiagnhost.exe'
+            - 'C:\Program Files*'  # https://twitter.com/gN3mes1s/status/1206874118282448897
+            - '*\sdiagnhost.exe'  # https://twitter.com/gN3mes1s/status/1206874118282448897
+            - '*\w3wp.exe'  # https://twitter.com/gabriele_pippi/status/1206907900268072962
     condition: selection and not filter
 falsepositives:
-    - Unkown
+    - https://twitter.com/gN3mes1s/status/1206874118282448897
+    - https://twitter.com/gabriele_pippi/status/1206907900268072962
 level: high