diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
index 1c27d1cd9..cef7ef843 100644
--- a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
+++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
@@ -13,16 +13,19 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_1:
         Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center  # Active Directory
         EventID:
             - 35
             - 36
             - 37
             - 38
+    selection_2:
+        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
+        EventID:
             - 16990
             - 16991
-    condition: selection
+    condition: selection_1 or selection_2
 fields:
     - samAccountName
 falsepositives: