diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml
index 8825ab113..078f02eb0 100644
--- a/rules/windows/builtin/win_alert_active_directory_user_control.yml
+++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml
@@ -8,7 +8,7 @@ references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 date: 2017/07/30
-modified: 2021/08/09
+modified: 2020/08/23
 logsource:
     product: windows
     service: security
@@ -16,8 +16,10 @@ logsource:
 detection:
     selection:
         EventID: 4704
-        Message|contains: 'SeEnableDelegationPrivilege'
-    condition: selection
+    keywords:
+        Message|contains:
+            - 'SeEnableDelegationPrivilege'
+    condition: all of them
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
index abc236e0a..c0904ce53 100644
--- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml
+++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml
@@ -6,7 +6,6 @@ references:
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'
 date: 2017/07/30
-modified: 2021/08/09
 tags:
     - attack.defense_evasion
     - attack.t1089          # an old one
@@ -24,7 +23,8 @@ detection:
             - 'Preauth'
             - 'Encrypted'
     filters:
-        Message|contains: 'Enabled'
+        Message|contains:
+            - 'Enabled'
     condition: selection and keywords and filters
 falsepositives:
     - Unknown
diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml
index b34e251ee..51a0902c7 100644
--- a/rules/windows/builtin/win_vul_cve_2020_0688.yml
+++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml
@@ -7,7 +7,7 @@ references:
     - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
 author: Florian Roth, wagga
 date: 2020/02/29
-modified: 2021/08/09
+modified: 2021/06/27
 tags:
     - attack.initial_access
     - attack.t1190
@@ -20,7 +20,8 @@ detection:
         Source: MSExchange Control Panel
         Level: Error
     selection2:
-        Message|contains: '&__VIEWSTATE='
+        Message|contains:
+            - '&__VIEWSTATE='
     condition: selection1 and selection2
 falsepositives:
     - Unknown