diff --git a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
index e85114085..10570812f 100644
--- a/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml
@@ -6,7 +6,7 @@ references:
     - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: frack113
 date: 2021/08/10
-modified: 2023/01/04
+modified: 2023/04/26
 logsource:
     product: windows
     service: iis
@@ -21,13 +21,14 @@ detection:
             - 'VirtualDirectory'
         cs-username|endswith: '$'
     keywords:
-        - 'POST'
-        - 200
-        - '/ecp/DDI/DDIService.svc/SetObject'
-        - 'schema=Reset'
-        - 'VirtualDirectory'
-        - '$'
-    condition: selection or all of keywords
+        '|all':
+            - 'POST'
+            - 200
+            - '/ecp/DDI/DDIService.svc/SetObject'
+            - 'schema=Reset'
+            - 'VirtualDirectory'
+            - '$'
+    condition: selection or keywords
 falsepositives:
     - Unlikely
 level: critical