diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
index f5346f3d3..449439771 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml
@@ -32,7 +32,7 @@ detection:
         CommandLine|contains|all:
             - '\FileTracker32.dll'
             - ',#1'
-    condition: selection and not filter
+    condition: selection and not 1 of filter*
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
     - Windows control panel elements have been identified as source (mmc)