diff --git a/rules/network/net_susp_network_scan.yml b/rules/network/net_susp_network_scan.yml
index c0de5d6fa..64eaa8621 100644
--- a/rules/network/net_susp_network_scan.yml
+++ b/rules/network/net_susp_network_scan.yml
@@ -7,9 +7,7 @@ detection:
     selection:
         action: denied
     timeframe: 24h
-    condition:
-        - selection | count(dst_port) by src_ip > 10
-        - selection | count(dst_ip) by src_ip > 10
+    condition: ( selection | count(dst_port) by src_ip > 10 ) or ( selection | count(dst_ip) by src_ip > 10 )
 fields:
     - src_ip
     - dst_ip