diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
index 25cb014c3..17baa3e77 100644
--- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
+++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
@@ -2,7 +2,7 @@ title: Atlassian Confluence RCE Exploit CVE-2021-26084
 id: 38825179-3c78-4fed-b222-2e2166b926b1
 description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
 status: experimental
-reference:
+references:
     - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083
     - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
     - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
@@ -21,7 +21,14 @@ detection:
            - '/doenterpagevariables.action'
            - 'queryString='
            - 'u0027'
-    condition: selection_exploit and keywords
+    selection_req:
+        cs-method: 'POST'
+        sc-status: '200'
+        c-uri|contains|all:
+        - '/doenterpagevariables.action'
+    keywords:
+        - 'u0027'
+    condition: selection_exploit or (selection_req and keywords)
 fields:
     - c-ip
     - c-uri