diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index 86f498e12..b57672f56 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -12,7 +12,7 @@ logsource:
 detection:
     selection1:
         EventID: 4738
-        AllowedToDelegateTo: '*'
+        AllowedToDelegateTo: (any)
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml
index a3ac5f82c..f8c92ecd6 100644
--- a/rules/windows/sysmon/sysmon_susp_net_execution.yml
+++ b/rules/windows/sysmon/sysmon_susp_net_execution.yml
@@ -27,4 +27,4 @@ fields:
     - ParentCommandLine
 falsepositives:
     - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
-level: medium
+level: low