diff --git a/rules/windows/sysmon/sysmon_reg_office_security.yml b/rules/windows/sysmon/sysmon_reg_office_security.yml
index e9f00dda7..31fa9e192 100644
--- a/rules/windows/sysmon/sysmon_reg_office_security.yml
+++ b/rules/windows/sysmon/sysmon_reg_office_security.yml
@@ -17,14 +17,14 @@ logsource:
 detection:
     sec_settings:
       EventID:
-        - 12
-        - 13
+            - 12
+            - 13
       TargetObject|endswith:
             - '*\Security\Trusted Documents\TrustRecords'
             - '*\Security\AccessVBOM'
             - '*\Security\VBAWarnings'
       EventType:
-        - SetValue
-        - DeleteValue
-        - CreateValue
+            - SetValue
+            - DeleteValue
+            - CreateValue
     condition: sec_settings