diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml
index d7a31c2b7..241bcc8e8 100644
--- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml
+++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml
@@ -22,8 +22,9 @@ detection:
         ParentUser:
             - 'NT AUTHORITY\NETWORK SERVICE'
             - 'NT AUTHORITY\LOCAL SERVICE'
+        User:
+            - 'NT AUTHORITY\SYSTEM'
             - 'AUTORITE NT\Sys' # French language settings
-        User: 'NT AUTHORITY\SYSTEM'
         IntegrityLevel: 'System'
     rundllexception:
         Image|endswith: '\rundll32.exe'