diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
index f3199403..d0c169d4 100644
--- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
@@ -9,13 +9,13 @@ logsource:
     category: proxy
 detection:
     selection:
-        c-useragent:
-            - 'Microsoft BITS/*'
+        c-useragent|startswith:
+            - 'Microsoft BITS/'
     falsepositives:
-        r-dns:
-            - '*.com' 
-            - '*.net' 
-            - '*.org' 
+        r-dns|endswith:
+            - '.com' 
+            - '.net' 
+            - '.org' 
     condition: selection and not falsepositives
 fields:
     - ClientIP
@@ -30,4 +30,4 @@ tags:
     - attack.defense_evasion
     - attack.persistence
     - attack.t1197
-    - attack.s0190
\ No newline at end of file
+    - attack.s0190