diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
index 563ba79bd..4e6db7077 100644
--- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
+++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
@@ -94,9 +94,13 @@ network where event.type == "protocol" and network.protocol == "http" and
                   "SolarWinds.BusinessLayerHostx64.exe",
                   "SolarWinds.Collector.Service.exe",
                   "SolarwindsDiagnostics.exe") and
-  (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
-  (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*")) and
-  not http.request.body.content : "*solarwinds.com*"
+  (
+    (
+      (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
+      (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*"))
+    ) and
+    not http.request.body.content : "*solarwinds.com*"
+  )
 '''