diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
index 56fba47f7..1a3d1035c 100644
--- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
+++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml
@@ -16,12 +16,12 @@ detection:
            - /etc/lsb-release
            - /etc/redhat-release
            - /etc/issue
-    condition: 'selection or selection2'
-    selection2:
+   selection2:
        type: EXECVE
        a0:
            - uname
            - uptime
+    condition: 'selection or selection2'
 tags:
    - attack.discovery
    - attack.t1082