diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
index fedeecf64..262d9c7dc 100755
--- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml
@@ -16,15 +16,15 @@ logsource:
     product: windows
 detection:
     selection:
-        Image:
-            - '*\winword.exe'
-            - '*\powerpnt.exe'
-            - '*\excel.exe'
-            - '*\outlook.exe'
-        ImageLoaded:
-            - '*\VBE7.DLL'
-            - '*\VBEUI.DLL'
-            - '*\VBE7INTL.DLL'
+        Image|endswith:
+            - '\winword.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\outlook.exe'
+        ImageLoaded|endswith:
+            - '\VBE7.DLL'
+            - '\VBEUI.DLL'
+            - '\VBE7INTL.DLL'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate