diff --git a/rules/0575-win-base_rules.xml b/rules/0575-win-base_rules.xml
index ab2894798..f3e5fd134 100644
--- a/rules/0575-win-base_rules.xml
+++ b/rules/0575-win-base_rules.xml
@@ -23,56 +23,56 @@
   <!-- Classification by channel -->
   <rule id="60001" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.channel">^Security</field>
+    <field name="win.system.channel">^Security$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the Security channel</description>
   </rule>
 
   <rule id="60002" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.channel">^System</field>
+    <field name="win.system.channel">^System$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the System channel</description>
   </rule>
 
   <rule id="60003" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.channel">^Application</field>
+    <field name="win.system.channel">^Application$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the Application channel</description>
   </rule>
 
   <rule id="60004" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.channel">^Microsoft-Windows-Sysmon/Operational</field>
+    <field name="win.system.channel">^Microsoft-Windows-Sysmon/Operational$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the Sysmon channel</description>
   </rule>
 
   <rule id="60005" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational</field>
+    <field name="win.system.channel">^Microsoft-Windows-Windows Defender/Operational$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the System channel</description>
   </rule>
 
   <rule id="60006" level="0">
-    <if_sid>60000</if_sid>
-    <field name="win.system.channel">^McLogEvent</field>
+    <if_sid>60003</if_sid>
+    <field name="win.system.providerName">^McLogEvent$</field>
     <options>no_full_log</options>
     <description>Group of Windows rules for the McAfee channel</description>
   </rule>
 
   <rule id="60007" level="0">
-    <if_sid>60001</if_sid>
-    <field name="win.system.providerName">^Microsoft-Windows-Eventlog</field>
+    <if_sid>60002</if_sid>
+    <field name="win.system.providerName">^Eventlog$</field>
     <options>no_full_log</options>
     <description>Group of rules for Windows Eventlog</description>
   </rule>
 
   <rule id="60008" level="0">
     <if_sid>60002</if_sid>
-    <field name="win.system.providerName">^Microsoft Antimalware</field>
+    <field name="win.system.providerName">^Microsoft Antimalware$</field>
     <options>no_full_log</options>
     <description>Group of Microsoft Security Essentials rules</description>
   </rule>
@@ -81,14 +81,14 @@
 
   <rule id="60009" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="60010" level="0">
     <if_sid>60000</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -96,7 +96,7 @@
   
   <rule id="60011" level="5">
     <if_sid>60000</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -104,7 +104,7 @@
 
   <rule id="60012" level="10">
     <if_sid>60000</if_sid>
-    <field name="win.system.severityValue">^CRITICAL</field>
+    <field name="win.system.severityValue">^CRITICAL$</field>
     <description>Windows critical event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
diff --git a/rules/0580-win-security_rules.xml b/rules/0580-win-security_rules.xml
index eacf10578..56bb01e20 100644
--- a/rules/0580-win-security_rules.xml
+++ b/rules/0580-win-security_rules.xml
@@ -12,14 +12,14 @@
 
   <rule id="60100" level="0">
     <if_sid>60001</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows Security informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="60101" level="0">
     <if_sid>60001</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows Security warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -27,7 +27,7 @@
 
   <rule id="60102" level="5">
     <if_sid>60001</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows Security error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -35,14 +35,14 @@
 
   <rule id="60103" level="0">
     <if_sid>60001</if_sid>
-    <field name="win.system.severityValue">^AUDIT_SUCCESS|^success</field>
+    <field name="win.system.severityValue">^AUDIT_SUCCESS$|^success$</field>
     <description>Windows audit success event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="60104" level="5">
     <if_sid>60001</if_sid>
-    <field name="win.system.severityValue">^AUDIT_FAILURE|^failure</field>
+    <field name="win.system.severityValue">^AUDIT_FAILURE$|^failure$</field>
     <description>Windows audit failure event</description>
     <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     <options>no_full_log</options>
@@ -512,7 +512,7 @@
 
   <rule id="60161" level="0">
     <if_sid>60160,60141</if_sid>
-    <field name="win.eventdata.subjectAccountName">None</field>
+    <field name="win.eventdata.subjectAccountName">^None$</field>
     <description>Local User Group NONE</description>
     <options>no_full_log</options>
     <info>Bogus group user added to upon creation</info>
diff --git a/rules/0585-win-application_rules.xml b/rules/0585-win-application_rules.xml
index 9f3ba3b70..9ef221976 100644
--- a/rules/0585-win-application_rules.xml
+++ b/rules/0585-win-application_rules.xml
@@ -11,14 +11,14 @@
 <group name="windows,windows_application,">
   <rule id="60600" level="0">
     <if_sid>60003</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows Application informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="60601" level="0">
     <if_sid>60003</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows Application warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -26,7 +26,7 @@
 
   <rule id="60602" level="9">
     <if_sid>60003</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows Application error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -35,7 +35,7 @@
   <!--  Chrome Remote Desktop  -->
   <rule id="60603" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">chromoting</field>
+    <field name="win.system.providerName">^chromoting$</field>
     <field name="win.system.message">\.*Access denied for client</field>
     <description>Chrome Remote Desktop attempt - access denied $(win.eventdata.data)</description>
     <options>no_full_log</options>
@@ -44,7 +44,7 @@
 
   <rule id="60604" level="5">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">chromoting</field>
+    <field name="win.system.providerName">^chromoting$</field>
     <field name="win.system.eventID">^1$</field>
     <description>Chrome Remote Desktop attempt - Client connected $(win.eventdata.data)</description>
     <options>no_full_log</options>
@@ -53,7 +53,7 @@
 
   <rule id="60605" level="5">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">chromoting</field>
+    <field name="win.system.providerName">^chromoting$</field>
     <field name="win.system.eventID">^2$</field>
     <description>Chrome Remote Desktop attempt - disconnected ($(win.eventdata.data))</description>
     <options>no_full_log</options>
@@ -63,7 +63,7 @@
   <!--{"win":{"system":{"providerName":"chromoting","eventID":"5","level":"4","task":"1","keywords":"0x80000000000000","systemTime":"2018-12-18T10:55:48.000000000Z","eventRecordID":"1801","channel":"Application","computer":"qnu","severityValue":"INFORMATION","message":"Hôte démarré pour l'utilisateur \\\"tinamay299@gmail.com\\\""},"eventdata":{"data":"user@gmail.com"}}}-->
   <rule id="60606" level="5">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">chromoting</field>
+    <field name="win.system.providerName">^chromoting$</field>
     <field name="win.system.eventID">^5$</field>
     <description>Chrome Remote Desktop attempt - started connection from $(win.eventdata.data)</description>
     <options>no_full_log</options>
@@ -72,7 +72,7 @@
 
   <rule id="60607" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Defrag</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Defrag$</field>
     <field name="win.system.eventID">^258$</field>
     <description>Disk defragmenter successfully completed an analysis</description>
     <options>no_full_log</options>
@@ -80,7 +80,7 @@
 
   <rule id="60608" level="4">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Windows Error Reporting</field>
+    <field name="win.system.providerName">^Windows Error Reporting$</field>
     <field name="win.system.eventID">^1001$</field>
     <description>Summary event of the report's signatures</description>
     <options>no_full_log</options>
@@ -88,7 +88,7 @@
 
   <rule id="60609" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">MsiInstaller</field>
+    <field name="win.system.providerName">^MsiInstaller$</field>
     <description>Group of MsiInstaller events</description>
     <options>no_full_log</options>
   </rule>
@@ -300,7 +300,7 @@
 
   <rule id="60639" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">LocationNotifications</field>
+    <field name="win.system.providerName">^LocationNotifications$</field>
     <field name="win.system.eventID">^1$</field>
     <description>A program accessed information from a location sensor or default location</description>
     <options>no_full_log</options>
@@ -308,7 +308,7 @@
 
   <rule id="60640" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Security-SPP</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Security-SPP$</field>
     <description>Group of SPP events</description>
     <options>no_full_log</options>
   </rule>
@@ -350,7 +350,7 @@
 
   <rule id="60646" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Security-SPP</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Security-SPP$</field>
     <field name="win.system.eventID">^8198$</field>
     <description>License Activation (slui.exe) failed</description>
     <options>no_full_log</options>
@@ -534,7 +534,7 @@
 
   <rule id="60672" level="5">
     <if_sid>60601</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Search</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Search$</field>
     <field name="win.system.eventID">^1008$</field>
     <description>The Windows Search Service attempted to remove the old search index</description>
     <options>no_full_log</options>
@@ -543,7 +543,7 @@
   <rule id="60673" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^1$</field>
-    <field name="win.system.providerName">Microsoft-Windows-Search-ProfileNotify</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Search-ProfileNotify$</field>
     <description>Windows Search Service indexed data for user successfully removed in response to user profile deletion</description>
     <options>no_full_log</options>
     <group>gdpr_IV_32.2,</group>
@@ -552,7 +552,7 @@
   <rule id="60674" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^16$</field>
-    <field name="win.system.providerName">Microsoft-Windows-Search-ProfileNotify</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Search-ProfileNotify$</field>
     <description>Created default configuration for user</description>
     <options>no_full_log</options>
     <group>gdpr_IV_32.2,</group>
@@ -560,7 +560,7 @@
 
   <rule id="60675" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">VSS</field>
+    <field name="win.system.providerName">^VSS$</field>
     <description>Group of VSS events</description>
     <options>no_full_log</options>
   </rule>
@@ -770,7 +770,7 @@
 
   <rule id="60705" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">VSS</field>
+    <field name="win.system.providerName">^VSS$</field>
     <field name="win.system.eventID">^12290$</field>
     <description>Volume Shadow Copy Service warning: ESENT ERROR</description>
     <options>no_full_log</options>
@@ -778,7 +778,7 @@
 
   <rule id="60706" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">VSS</field>
+    <field name="win.system.providerName">^VSS$</field>
     <field name="win.system.eventID">^12291$</field>
     <description>Error creating or using the COM+ Writers publisher interface</description>
     <options>no_full_log</options>
@@ -786,7 +786,7 @@
 
   <rule id="60707" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">VSS</field>
+    <field name="win.system.providerName">^VSS$</field>
     <field name="win.system.eventID">^12292$</field>
     <description>Error creating the Shadow Copy Provider COM class with CLSID</description>
     <options>no_full_log</options>
@@ -794,7 +794,7 @@
 
   <rule id="60708" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">VSS</field>
+    <field name="win.system.providerName">^VSS$</field>
     <field name="win.system.eventID">^12293$</field>
     <description>Error calling a routine on a Shadow Copy Provider</description>
     <options>no_full_log</options>
@@ -844,7 +844,7 @@
 
   <rule id="60715" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">System Restore</field>
+    <field name="win.system.providerName">^System Restore$</field>
     <description>Group of System Restore events</description>
     <options>no_full_log</options>
   </rule>
@@ -900,7 +900,7 @@
 
   <rule id="60723" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Application Error</field>
+    <field name="win.system.providerName">^Application Error$</field>
     <description>Group of Application Error events</description>
     <options>no_full_log</options>
   </rule>
@@ -921,7 +921,7 @@
 
   <rule id="60726" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-WMI</field>
+    <field name="win.system.providerName">^Microsoft-Windows-WMI$</field>
     <description>Group of WMI events</description>
     <options>no_full_log</options>
   </rule>
@@ -935,7 +935,7 @@
 
   <rule id="60728" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-WMI</field>
+    <field name="win.system.providerName">^Microsoft-Windows-WMI$</field>
     <field name="win.system.eventID">^29$</field>
     <description>WMI Service could not be initialized</description>
     <options>no_full_log</options>
@@ -1083,7 +1083,7 @@
 
   <rule id="60749" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-EventSystem</field>
+    <field name="win.system.providerName">^Microsoft-Windows-EventSystem$</field>
     <description>Group of EventSystem events</description>
     <options>no_full_log</options>
   </rule>
@@ -1231,7 +1231,7 @@
 
   <rule id="60770" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Desktop Window Manager</field>
+    <field name="win.system.providerName">^Desktop Window Manager$</field>
     <description>Group of Desktop Window Manager events</description>
     <options>no_full_log</options>
   </rule>
@@ -1259,7 +1259,7 @@
 
   <rule id="60774" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Winlogon</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Winlogon$</field>
     <description>Group of Winlogon events</description>
     <options>no_full_log</options>
   </rule>
@@ -1407,7 +1407,7 @@
 
   <rule id="60795" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">ESENT</field>
+    <field name="win.system.providerName">^ESENT$</field>
     <description>Group of ESENT events</description>
     <options>no_full_log</options>
   </rule>
@@ -1603,7 +1603,7 @@
 
   <rule id="60823" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-CEIP</field>
+    <field name="win.system.providerName">^Microsoft-Windows-CEIP$</field>
     <field name="win.system.eventID">^1005$</field>
     <description>Customer Experience Improvement Program data successfully consolidated</description>
     <options>no_full_log</options>
@@ -1611,7 +1611,7 @@
 
   <rule id="60824" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-CAPI2</field>
+    <field name="win.system.providerName">^Microsoft-Windows-CAPI2$</field>
     <description>Group of CAPI2 events</description>
     <options>no_full_log</options>
   </rule>
@@ -1709,7 +1709,7 @@
 
   <rule id="60838" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-MSDTC</field>
+    <field name="win.system.providerName">^Microsoft-Windows-MSDTC$</field>
     <description>Group of MSDTC events</description>
     <options>no_full_log</options>
   </rule>
@@ -2957,7 +2957,7 @@
 
   <rule id="61016" level="0">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">.NET Runtime</field>
+    <field name="win.system.providerName">^.NET Runtime$</field>
     <description>Group of .NET Runtime events</description>
     <options>no_full_log</options>
   </rule>
@@ -2999,7 +2999,7 @@
 
   <rule id="61022" level="5">
     <if_sid>60602</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-LocationProvider</field>
+    <field name="win.system.providerName">^Microsoft-Windows-LocationProvider$</field>
     <field name="win.system.eventID">^2006$</field>
     <description>There was an error with the Windows Location Provider database</description>
     <options>no_full_log</options>
@@ -3007,7 +3007,7 @@
 
   <rule id="61023" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-LocationProvider</field>
+    <field name="win.system.providerName">^Microsoft-Windows-LocationProvider$</field>
     <field name="win.system.eventID">^2001$</field>
     <description>Windows Location Provider started</description>
     <options>no_full_log</options>
@@ -3015,7 +3015,7 @@
 
   <rule id="61024" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-LocationProvider</field>
+    <field name="win.system.providerName">^Microsoft-Windows-LocationProvider$</field>
     <field name="win.system.eventID">^2003$</field>
     <description>The Windows Location Provider has shutdown</description>
     <options>no_full_log</options>
@@ -3023,7 +3023,7 @@
 
   <rule id="61025" level="3">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-UserModePowerService</field>
+    <field name="win.system.providerName">^Microsoft-Windows-UserModePowerService$</field>
     <field name="win.system.eventID">^12$</field>
     <description>Process $(win.eventdata.processPath) has reset policy scheme from $(win.eventdata.oldSchemeGuid) to $(win.eventdata.newSchemeGuid)</description>
     <options>no_full_log</options>
@@ -3031,7 +3031,7 @@
 
   <rule id="61026" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Application Management</field>
+    <field name="win.system.providerName">^Application Management$</field>
     <description>Group of Application Management events</description>
     <options>no_full_log</options>
   </rule>
@@ -3094,7 +3094,7 @@
 
   <rule id="61035" level="5">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">DNSCache</field>
+    <field name="win.system.providerName">^DNSCache$</field>
     <field name="win.system.eventID">^11050$</field>
     <description>The DNS Client service could not contact any DNS servers for a repeated number of attempts</description>
     <options>no_full_log</options>
@@ -3102,7 +3102,7 @@
 
   <rule id="61036" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Disk</field>
+    <field name="win.system.providerName">^Disk$</field>
     <description>Group of Disk events</description>
     <options>no_full_log</options>
   </rule>
@@ -3220,7 +3220,7 @@
   </rule>
 
   <rule id="61053" level="3">
-    <field name="win.system.providerName">EventCreate</field>
+    <field name="win.system.providerName">^EventCreate$</field>
     <field name="win.system.eventID">^100$</field>
     <description>Event created in the application log</description>
     <options>no_full_log</options>
@@ -3228,7 +3228,7 @@
 
   <rule id="61054" level="0">
     <if_sid>60600</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-EventCollector</field>
+    <field name="win.system.providerName">^Microsoft-Windows-EventCollector$</field>
     <description>Group of EventCollector events</description>
     <options>no_full_log</options>
   </rule>
@@ -3270,7 +3270,7 @@
 
   <rule id="61060" level="5">
     <if_sid>60600,60601,60602</if_sid>
-    <field name="win.system.providerName">Microsoft-Windows-Perflib</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Perflib$</field>
     <field name="win.system.eventID">^1008$</field>
     <description>The Open Procedure for service Remote Access failed</description>
     <options>no_full_log</options>
diff --git a/rules/0590-win-system_rules.xml b/rules/0590-win-system_rules.xml
index 0993fd45e..e90675f1a 100644
--- a/rules/0590-win-system_rules.xml
+++ b/rules/0590-win-system_rules.xml
@@ -11,14 +11,14 @@
 <group name="windows, windows_system">
   <rule id="61100" level="0">
     <if_sid>60002</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows System informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="61101" level="0">
     <if_sid>60002</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows System warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -26,7 +26,7 @@
 
   <rule id="61102" level="5">
     <if_sid>60002</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows System error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -34,7 +34,7 @@
 
   <rule id="61103" level="9">
     <if_sid>60002</if_sid>
-    <field name="win.system.severityValue">^CRITICAL</field>
+    <field name="win.system.severityValue">^CRITICAL$</field>
     <description>Windows System critical event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -53,7 +53,7 @@
   <rule id="61105" level="9">
     <if_sid>61103</if_sid>
     <field name="win.system.eventID">^41$</field>
-    <field name="win.system.providerName">^Microsoft-Windows-Kernel-Power</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Kernel-Power$</field>
     <description>The system stopped responding, crashed or lost power unexpectedly</description>
     <options>no_full_log</options>
   </rule>
@@ -61,7 +61,7 @@
   <rule id="61106" level="5">
     <if_sid>61101</if_sid>
     <field name="win.system.eventID">^219$</field>
-    <field name="win.system.providerName">^Microsoft-Windows-Kernel-PnP</field>
+    <field name="win.system.providerName">^Microsoft-Windows-Kernel-PnP$</field>
     <description>The driver $(win.eventdata.failureName) failed to load for the device $(win.eventdata.driverName)</description>
     <options>no_full_log</options>
   </rule>
@@ -70,7 +70,7 @@
     <if_sid>61102</if_sid>
     <field name="win.system.eventID">^7031$</field>
     <field name="win.eventdata.param1">\.+</field>
-    <field name="win.system.providerName">^Service Control Manager</field>
+    <field name="win.system.providerName">^Service Control Manager$</field>
     <description>$(win.eventdata.param1) terminated unexpectedly</description>
     <options>no_full_log</options>
   </rule>
@@ -78,7 +78,7 @@
   <rule id="61108" level="5">
     <if_sid>61102</if_sid>
     <field name="win.system.eventID">^7022$</field>
-    <field name="win.system.providerName">^Service Control Manager</field>
+    <field name="win.system.providerName">^Service Control Manager$</field>
     <description>The Windows Search service hung on starting</description>
     <options>no_full_log</options>
   </rule>
@@ -86,7 +86,7 @@
   <rule id="61109" level="5">
     <if_sid>61101</if_sid>
     <field name="win.system.eventID">^1014$</field>
-    <field name="win.system.providerName">^Microsoft-Windows-DNS-Client</field>
+    <field name="win.system.providerName">^Microsoft-Windows-DNS-Client$</field>
     <description>Name resolution for the name $(win.eventdata.queryName) timed out</description>
     <options>no_full_log</options>
   </rule>
@@ -111,7 +111,7 @@
 
   <rule id="61113" level="0">
     <if_sid>61100</if_sid>
-    <field name="win.system.providerName">Browser</field>
+    <field name="win.system.providerName">^Browser$</field>
     <description>Group of Browser events</description>
     <options>no_full_log</options>
   </rule>
diff --git a/rules/0595-win-sysmon_rules.xml b/rules/0595-win-sysmon_rules.xml
index 77e5be7c7..6d4a84847 100644
--- a/rules/0595-win-sysmon_rules.xml
+++ b/rules/0595-win-sysmon_rules.xml
@@ -11,14 +11,14 @@
 <group name="windows,sysmon,">
   <rule id="61600" level="0">
     <if_sid>60004</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows Sysmon informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="61601" level="0">
     <if_sid>60004</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows Sysmon warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -26,7 +26,7 @@
 
   <rule id="61602" level="5">
     <if_sid>60004</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows Sysmon error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
diff --git a/rules/0600-win-wdefender_rules.xml b/rules/0600-win-wdefender_rules.xml
index 67bc8c50e..bac6094f0 100644
--- a/rules/0600-win-wdefender_rules.xml
+++ b/rules/0600-win-wdefender_rules.xml
@@ -12,14 +12,14 @@
 <group name="windows,windows_defender,">
   <rule id="62100" level="0">
     <if_sid>60005</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows Defender informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="62101" level="0">
     <if_sid>60005</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows Defender warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -27,7 +27,7 @@
 
   <rule id="62102" level="5">
     <if_sid>60005</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows Defender error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
@@ -38,7 +38,7 @@
   <rule id="62103" level="12">
     <if_sid>62101</if_sid>
     <field name="win.system.eventID">^1116$</field>
-    <description>Windows Defender: detected potentially unwanted software $(win.eventdata.processName)</description>
+    <description>Windows Defender: detected potentially unwanted software $(win.eventdata.process Name)</description>
     <options>no_full_log</options>
     <group>gdpr_IV_35.7.d,</group>
   </rule>
@@ -48,7 +48,7 @@
   <rule id="62104" level="7">
     <if_sid>62100</if_sid>
     <field name="win.system.eventID">^1117$</field>
-    <description>Windows Defender: taken action to protect machine from unwanted software $(win.eventdata.processName)</description>
+    <description>Windows Defender: taken action to protect machine from unwanted software $(win.eventdata.process Name)</description>
     <options>no_full_log</options>
     <group>gdpr_IV_35.7.d,</group>
   </rule>
diff --git a/rules/0605-win-mcafee_rules.xml b/rules/0605-win-mcafee_rules.xml
index 243960727..edf8ccf8b 100644
--- a/rules/0605-win-mcafee_rules.xml
+++ b/rules/0605-win-mcafee_rules.xml
@@ -17,14 +17,14 @@
 <group name="windows,mcafee,">
   <rule id="62600" level="0">
     <if_sid>60006</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows McAfee informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="62601" level="0">
     <if_sid>60006</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows McAfee warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -32,7 +32,7 @@
 
   <rule id="62602" level="5">
     <if_sid>60006</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows McAfee error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
diff --git a/rules/0610-win-ms_logs_rules.xml b/rules/0610-win-ms_logs_rules.xml
index 33016bcee..c55f0f70a 100644
--- a/rules/0610-win-ms_logs_rules.xml
+++ b/rules/0610-win-ms_logs_rules.xml
@@ -13,14 +13,14 @@
 
   <rule id="63100" level="0">
     <if_sid>60007</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Windows Eventlog informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="63101" level="0">
     <if_sid>60007</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Windows Eventlog warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -28,7 +28,7 @@
 
   <rule id="63102" level="5">
     <if_sid>60007</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Windows Eventlog error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
diff --git a/rules/0615-win-ms-se_rules.xml b/rules/0615-win-ms-se_rules.xml
index af13e91f4..25f6fc906 100644
--- a/rules/0615-win-ms-se_rules.xml
+++ b/rules/0615-win-ms-se_rules.xml
@@ -12,14 +12,14 @@
 
   <rule id="63600" level="0">
     <if_sid>60008</if_sid>
-    <field name="win.system.severityValue">^INFORMATION</field>
+    <field name="win.system.severityValue">^INFORMATION$</field>
     <description>Microsoft Antimalware informational event</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="63601" level="0">
     <if_sid>60008</if_sid>
-    <field name="win.system.severityValue">^WARNING</field>
+    <field name="win.system.severityValue">^WARNING$</field>
     <description>Microsoft Antimalware warning event</description>
     <options>no_full_log</options>
     <group>gpg13_4.12,</group>
@@ -27,7 +27,7 @@
 
   <rule id="63602" level="5">
     <if_sid>60008</if_sid>
-    <field name="win.system.severityValue">^ERROR</field>
+    <field name="win.system.severityValue">^ERROR$</field>
     <description>Microsoft Antimalware error event</description>
     <options>no_full_log</options>
     <group>system_error,gpg13_4.3,gdpr_IV_35.7.d,</group>
diff --git a/rules/0620-win-generic_rules.xml b/rules/0620-win-generic_rules.xml
index 600d22809..bc314ee51 100644
--- a/rules/0620-win-generic_rules.xml
+++ b/rules/0620-win-generic_rules.xml
@@ -14,7 +14,7 @@
 
   <rule id="64100" level="0">
     <if_sid>60009,60010,60011,60012</if_sid>
-    <field name="win.system.channel">^File Replication Service</field>
+    <field name="win.system.channel">^File Replication Service$</field>
     <description>Group of Windows rules for Remote Access</description>
     <options>no_full_log</options>
   </rule>
@@ -45,7 +45,7 @@
 
   <rule id="64104" level="0">
     <if_sid>60009,60010,60011,60012</if_sid>
-    <field name="win.system.channel">^Microsoft-Windows-TerminalServices</field>
+    <field name="win.system.channel">^Microsoft-Windows-TerminalServices$</field>
     <description>Group of Windows rules for Terminal Services</description>
     <options>no_full_log</options>
   </rule>