diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
index 75c46cf773..1af9691ace 100644
--- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
+++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
@@ -9,7 +9,7 @@ type: Anomaly
 status: production
 description: The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
 kind: endpoint
-search: '`sysmon` EventCode=11 Image="*.exe" TargetFilename IN ("*__tmp_rar_sfx_access_check*") 
+search: '`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*") 
   | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename Computer 
   | rename Computer as dest 
   | rename TargetFilename as file_name