Update rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml

Liran017 · swachchhanda000 · web-flow · commit 74cc161f553c · 2026-03-30T14:07:16.000+03:00
Co-authored-by: Swachchhanda Shrawan Poudel &lt;87493836+swachchhanda000@users.noreply.github.com&gt;
diff --git a/rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml b/rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml
@@ -27,7 +27,7 @@ detection:
     filter_main_legit_paths_3:
         Image|startswith: 'C:\Users'
         Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
-    condition: selection_img and not (filter1 or filter2 or filter3)
+    condition: selection_img and not 1 of filter_main_*
 falsepositives:
     - Unlikely
 level: high
