diff --git a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml
index f92c68939..392ff7305 100644
--- a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml
+++ b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml
@@ -28,16 +28,14 @@ detection:
       - '\mshta.exe'
   falsepositives:
     CurrentDirectory|contains: '\ccmcache\'
-
-    # FP - Amazon Workspaces
-    ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
-    ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
-    ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
-
-    # Tenable/Nessus VA Scanner
-    ParentCommandLine|contains: '\nessus_'
-    CommandLine|contains: '\nessus_'
-
+    ParentCommandLine|contains:
+      # FP - Amazon Workspaces
+      - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
+      - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
+      - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
+      - '\nessus_' # Tenable/Nessus VA Scanner
+    CommandLine|contains: 
+      - '\nessus_' # Tenable/Nessus VA Scanner
   condition: selection and not falsepositives
 fields:
   - CommandLine