diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
index 279f080b1380d..371f40f6a9293 100644
--- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -369,61 +369,74 @@ export const getPrepopulatedEndpointException = ({
   const filePath = file?.path ?? '';
   const sha256Hash = file?.hash?.sha256 ?? '';
   const isLinux = host?.os?.name === 'Linux';
-  const filePathDefault = isLinux ? 'file.path' : 'file.path.caseless';
 
-  const codeSignatureFields = [
-    {
-      field: 'file.Ext.code_signature',
-      type: 'nested',
-      entries: [
+  const entriesToAdd = () => {
+    if (isLinux) {
+      return addIdToEntries([
         {
-          field: 'subject_name',
+          field: 'file.path',
           operator: 'included',
           type: 'match',
-          value: codeSignature != null ? codeSignature.subjectName : '',
+          value: filePath ?? '',
         },
         {
-          field: 'trusted',
+          field: 'file.hash.sha256',
           operator: 'included',
           type: 'match',
-          value: codeSignature != null ? codeSignature.trusted : '',
+          value: sha256Hash ?? '',
         },
-      ],
-    },
-  ];
-
-  const commonFields = [
-    {
-      field: filePathDefault,
-      operator: 'included',
-      type: 'match',
-      value: filePath ?? '',
-    },
-    {
-      field: 'file.hash.sha256',
-      operator: 'included',
-      type: 'match',
-      value: sha256Hash ?? '',
-    },
-    {
-      field: 'event.code',
-      operator: 'included',
-      type: 'match',
-      value: eventCode ?? '',
-    },
-  ];
-
-  const entriesToAdd = () => {
-    if (isLinux) {
-      return commonFields;
+        {
+          field: 'event.code',
+          operator: 'included',
+          type: 'match',
+          value: eventCode ?? '',
+        },
+      ]);
     } else {
-      return [...codeSignatureFields, ...commonFields];
+      return addIdToEntries([
+        {
+          field: 'file.Ext.code_signature',
+          type: 'nested',
+          entries: [
+            {
+              field: 'subject_name',
+              operator: 'included',
+              type: 'match',
+              value: codeSignature != null ? codeSignature.subjectName : '',
+            },
+            {
+              field: 'trusted',
+              operator: 'included',
+              type: 'match',
+              value: codeSignature != null ? codeSignature.trusted : '',
+            },
+          ],
+        },
+        {
+          field: 'file.path.caseless',
+          operator: 'included',
+          type: 'match',
+          value: filePath ?? '',
+        },
+        {
+          field: 'file.hash.sha256',
+          operator: 'included',
+          type: 'match',
+          value: sha256Hash ?? '',
+        },
+        {
+          field: 'event.code',
+          operator: 'included',
+          type: 'match',
+          value: eventCode ?? '',
+        },
+      ]);
     }
   };
 
   return {
     ...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
-    entries: addIdToEntries(entriesToAdd()),
+    entries: entriesToAdd(),
   };
 };