diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml
index 4fde46837..10da4f41e 100644
--- a/rules/windows/persistence_remote_password_reset.toml
+++ b/rules/windows/persistence_remote_password_reset.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/18"
 maturity = "production"
-updated_date = "2021/10/18"
+updated_date = "2022/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ sequence by host.id with maxspan=5m
   [authentication where event.action == "logged-in" and
     /* event 4624 need to be logged */
     winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and
-    not source.ip in ("127.0.0.1", "::1")] by winlog.event_data.TargetLogonId
+    source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId
    /* event 4724 need to be logged */
   [iam where event.action == "reset-password"] by winlog.event_data.SubjectLogonId
 '''