diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
index 291b387d8..f5ec46e44 100644
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
+++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
@@ -117,10 +117,10 @@ detection:
         TargetImage|endswith: '\winlogon.exe'
         GrantedAccess: '0x1fffff'
     filter_optional_adobe_arm_helper:
-        SourceImage|startswith:  # example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
+        SourceImage|startswith:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
             - 'C:\Program Files\Common Files\Adobe\ARM\'
             - 'C:\Program Files (x86)\Common Files\Adobe\ARM\'
-        SourceImage|endswith: 'AdobeARMHelper.exe'
+        SourceImage|endswith: '\AdobeARMHelper.exe'
         GrantedAcces: '0x1410'
     condition: selection and not 1 of filter_optional_*
 fields: