diff --git a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
index 7ed9e5e94..7c42b85da 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml
@@ -10,7 +10,7 @@ tags:
     - attack.exfiltration
 logsource:
     product: windows
-    service: powershell
+    category: ps_script
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection_main:
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
index 7289529c2..7b47aaf7f 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
@@ -25,7 +25,7 @@ detection:
             - '\psloglist.exe'
             - '\psloglist64.exe'
     selection_cli_eventlog:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' security'
             - ' application'
             - ' system'