diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index a882d4e9a..ffec6797d 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -15,9 +15,9 @@ logsource:
     product: windows
 detection:
     selection:
-        ParentImage: '*\consent.exe'
-        Image: '*\iexplore.exe'
-        CommandLine: '* http*'
+        ParentImage|endswith: '\consent.exe'
+        Image|endswith: '\iexplore.exe'
+        CommandLine|contains: ' http'
     rights1:
         IntegrityLevel: 'System'  # for Sysmon users
     rights2: