diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml
index d053cbe5d..eaddf371c 100644
--- a/rules/web/web_cve_2021_26858_iis_rce.yml
+++ b/rules/web/web_cve_2021_26858_iis_rce.yml
@@ -9,17 +9,17 @@ date: 2021/08/10
 logsource:
     product: windows
     category: webserver
-    service: iis
+    definition: w3c-logging must be enable https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
 detection:
     selection:
-        http_method: 'POST'
-        http_code: 200
-        url_path: '/ecp/DDI/DDIService.svc/SetObject'
-        Message|contains|all:
+        cs-method: 'POST'
+        sc-status: 200
+        cs-uri-stem|startswith: '/ecp/DDI/DDIService.svc/SetObject'
+        cs-uri-stem|contains|all:
             - 'schema=Reset'
             - 'VirtualDirectory'
-        Username|endswith: '$'
+        cs-username|endswith: '$'
     condition: selection
 falsepositives:
     - Unlikely
-level: critical 
\ No newline at end of file
+level: critical