diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
index 7799ec61f..cde64423f 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.html
@@ -95,7 +95,7 @@
                       [label]="'Incident response automation is active'">
       </app-utm-toggle>
     </div>
-    <div *ngIf="step===2" class="configure-step mt-3 mb-3 has-fixed-height overflow-auto">
+    <div *ngIf="step===2" class="configure-step mt-3 mb-3">
 
       <div class="w-100">
         <div formArrayName="conditions">
@@ -179,17 +179,17 @@
         </div>-->
       </div>
       <div class="d-flex mt-3 flex-column">
-          <app-utm-toggle (toggleChange)="formRule.get('agentType').setValue($event)"
+        <div class="alert alert-info alert-styled-right mb-2 info-dismissible">
+          <span class="font-weight-semibold">Info! </span>
+          <span>Select the agent handling strategy for the automation. By default (not active), commands will run on specified platform agents if the trigger conditions and dataSource field value of the alert match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria. If this option is active, commands will run only on specified platform agents if the trigger conditions and dataSource field value of the alert match, if not, the automation won't be executed.</span>
+        </div>
+          <app-utm-toggle (toggleChange)="onChangeToggle($event)"
                           [active]="formRule.get('agentType').value"
                           [emitAtStart]="false"
                           [customClass]="'pl-3'"
-                          [label]="'Agent handling strategy for the automation'"></app-utm-toggle>
-            <div class="alert alert-info alert-styled-right mt-1 info-dismissible">
-              <span class="font-weight-semibold">Info! </span>
-              <span>Select the agent handling strategy for the automation. By default, commands won't run on specified agents, even if the trigger conditions match. Alternatively, choose a default agent to run the automation if no other agent matches the criteria.</span>
-            </div>
+                          [label]="'Run on specific agent'"></app-utm-toggle>
       </div>
-      <div *ngIf="formRule.get('agentType').value" class="d-flex mt-3 flex-column">
+      <div *ngIf="!formRule.get('agentType').value" class="d-flex mt-2 flex-column">
         <div class="col-12 p-0">
           <label class="pb-1" for="exclude">Exclude agents</label>
           <ng-select [clearable]="false"
@@ -212,9 +212,9 @@
           </div>
         </div>
       </div>
-      <div *ngIf="!formRule.get('agentType').value" class="d-flex mt-3 flex-column">
-        <div  class="col-12 p-0">
-          <label class="pb-1" for="exclude">Default agents</label>
+      <div *ngIf="formRule.get('agentType').value" class="d-flex mt-2 flex-column">
+        <div  class="col-6 p-0">
+          <label class="pb-1" for="exclude">Default agent</label>
           <ng-select [clearable]="false"
                      [items]="agents"
                      [placeholder]="'Select agent'"
diff --git a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
index 2df0798e4..6b44515da 100644
--- a/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
+++ b/frontend/src/app/incident-response/shared/component/ir-create-rule/ir-create-rule.component.ts
@@ -54,7 +54,7 @@ export class IrCreateRuleComponent implements OnInit {
       conditions: this.fb.array([]),
       command: ['', Validators.required],
       active: [true],
-      agentType: [true],
+      agentType: [false],
       excludedAgents: [[]],
       defaultAgent: [''],
       agentPlatform: ['', Validators.required]
@@ -81,7 +81,7 @@ export class IrCreateRuleComponent implements OnInit {
         this.ruleConditions.push(ruleCondition);
         this.getAgents(this.formRule.get('agentPlatform').value);
         this.formRule.get('excludedAgents').setValue(this.rule.excludedAgents);
-        this.formRule.get('agentType').setValue(this.rule.excludedAgents.length > 0);
+        this.formRule.get('agentType').setValue(this.rule.excludedAgents.length === 0);
         this.formRule.get('defaultAgent').setValue(this.rule.defaultAgent);
       }
     } else if (this.alert) {
@@ -148,6 +148,9 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   nextStep() {
+    if (this.step === 3) {
+      this.formRule.get('command').setValue(this.command);
+    }
     this.stepCompleted.push(this.step);
     this.step += 1;
   }
@@ -194,7 +197,6 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   editRule() {
-    console.log('edit');
     const action = 'edited';
     const actionError = 'editing';
     this.clearAgentTypeSelection();
@@ -216,7 +218,7 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
  clearAgentTypeSelection() {
-   if (!this.formRule.get('agentType').value) {
+   if (this.formRule.get('agentType').value) {
      this.formRule.get('excludedAgents').setValue([]);
    } else {
      this.formRule.get('defaultAgent').setValue('');
@@ -247,13 +249,13 @@ export class IrCreateRuleComponent implements OnInit {
   }
 
   isDisable(step: number) {
-    console.log((!this.formRule.get('agentType').value && this.formRule.get('defaultAgent').value === ''));
     switch (step) {
       case 1:
         return !this.formRule.get('name').valid || !this.formRule.get('description').valid || this.exist;
       case 2:
         return !this.formRule.get('agentPlatform').valid || this.ruleConditions.length === 0
-            || (!this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
+            || !this.ruleConditions.valid
+            || (this.formRule.get('agentType').value && !this.formRule.get('defaultAgent').value);
       case 3:
         return !this.command || this.command === '';
     }
@@ -283,8 +285,13 @@ export class IrCreateRuleComponent implements OnInit {
     });
   }
 
-  onChangeToggle() {
-
+  onChangeToggle($event) {
+    if ($event ) {
+      this.formRule.get('excludedAgents').setValue([]);
+    } else {
+      this.formRule.get('defaultAgent').setValue('');
+    }
+    this.formRule.get('agentType').setValue($event);
   }
 
 }
diff --git a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
index d7915de71..fd495e823 100644
--- a/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
+++ b/frontend/src/app/incident-response/shared/component/ir-summary/ir-summary.component.html
@@ -19,7 +19,7 @@
     </span>
 
 
-    <ng-container *ngIf="agentType">
+    <ng-container *ngIf="!agentType">
       <span>
         Importantly, the automation excludes designated agents, such as
       </span>
@@ -28,7 +28,7 @@
       </span>
     </ng-container>
 
-    <ng-container *ngIf="!agentType">
+    <ng-container *ngIf="agentType">
       <span>
         In case none of the agents satisfy the specified conditions, the automation will smoothly revert and execute on the default agent,
         <span class="badge p-1 border-1 badge-flat font-weight-light border-info-800 text-info-800 mr-2 mb-2">
@@ -44,7 +44,7 @@
     <span>
      Crucially, when these conditions are met, the automation will proceed to execute the following action:
     </span>
-    <app-utm-code-view [code]="command" [allowCopy]="true"></app-utm-code-view>
+    <app-utm-code-view class="w-100 mt-1" [code]="command" [allowCopy]="false"></app-utm-code-view>
   </div>
 </div>
 
diff --git a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
index 8f8d6945e..c4773247f 100644
--- a/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
+++ b/user-auditor/src/main/java/com/utmstack/userauditor/model/winevent/WinEventLog.java
@@ -19,16 +19,17 @@ public class WinEventLog{
     public ArrayList<String> keywords;
     public String level;
     public String log_name;
-    public String message;
+
+    public String mesage;
     public String opcode;
-    public int process_id;
+    public String process_id;
     public String provider_guid;
-    public int record_number;
+    public String record_number;
     public String source_name;
     public ArrayList<String> tags;
     public String task;
-    public int thread_id;
-    public int version;
+    public String thread_id;
+    public String version;
 }