diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml
index fc6257f2e..324126620 100644
--- a/rules/linux/builtin/lnx_susp_dev_tcp.yml
+++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml
@@ -25,7 +25,7 @@ detection:
         - '(sh)0>/dev/tcp/'
         - 'bash -c ''bash -i >& /dev/tcp/'
         - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
-    condition: 1 of keywords
+    condition: keywords
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
index 2a95fa9fc..68b7cb97b 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
@@ -14,14 +14,15 @@ logsource:
     product: windows
     service: msexchange-management
 detection:
-    keywords:
+    keywords_cmdlet:
         - 'OabVirtualDirectory'
         - ' -ExternalUrl '
+    keywords_params:
         - 'eval(request'
         - 'http://f/<script'
         - '"unsafe"};'
         - 'function Page_Load()'
-    condition: all of keywords
+    condition: all of keywords_cmdlet and keywords_params
 falsepositives:
     - Unlikely
 level: critical