diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
index 59b043baa..f75cce094 100755
--- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml
@@ -16,13 +16,13 @@ logsource:
     product: windows
 detection:
     selection:
-        Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
-        ImageLoaded:
-            - '*\clr.dll*'
+        Image|endswith:
+            - '\winword.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\outlook.exe'
+        ImageLoaded|contains:
+            - '\clr.dll'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate