diff --git a/rules/cloud/aws_ec2_download_userdata.yml b/rules/cloud/aws_ec2_download_userdata.yml
index 495002523..28d798a2c 100644
--- a/rules/cloud/aws_ec2_download_userdata.yml
+++ b/rules/cloud/aws_ec2_download_userdata.yml
@@ -16,7 +16,7 @@ detection:
   selection_eventname:
     - eventName: DescribeInstanceAttribute
   timeframe: 30m
-  condition: selection_source AND selection_eventname AND selection_requesttype | count() > 10
+  condition: all of them | count() > 10
 level: medium
 falsepositives:
     - Assets management software like device42
diff --git a/rules/cloud/aws_guardduty_disruption.yml b/rules/cloud/aws_guardduty_disruption.yml
index 6f213b00a..c7e44b234 100644
--- a/rules/cloud/aws_guardduty_disruption.yml
+++ b/rules/cloud/aws_guardduty_disruption.yml
@@ -11,11 +11,10 @@ logsource:
 detection:
   selection_source:
     - eventSource: guardduty.amazonaws.com
-  events:
-    - eventName:
-        - CreateIPSet
-  condition: selection_source AND events
-level: medium
+  selection_eventName:
+    - eventName: CreateIPSet
+  condition: all of them
+level: high
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags: