diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml
index 6b12134f8..d1a9b2aa3 100644
--- a/rules/windows/persistence_startup_folder_scripts.toml
+++ b/rules/windows/persistence_startup_folder_scripts.toml
@@ -17,18 +17,18 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 type = "eql"
 
 query = '''
-file where event.type != "deletion" and user.domain != "NT AUTHORITY"
-  and (
-    // detect shortcuts created by wscript.exe or cscript.exe
-      file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
-      process.name : ("wscript.exe", "cscript.exe")
-      ) or
-     // detect vbs or js files created by any process
-     file.path : ("C:\\*\\Programs\\Startup\\*.vbs", 
-                  "C:\\*\\Programs\\Startup\\*.vbe", 
-                  "C:\\*\\Programs\\Startup\\*.wsh", 
-                  "C:\\*\\Programs\\Startup\\*.wsf", 
-                  "C:\\*\\Programs\\Startup\\*.js")
+file where event.type != "deletion" and user.domain != "NT AUTHORITY" and
+  
+  /* detect shortcuts created by wscript.exe or cscript.exe */
+  (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
+     process.name : ("wscript.exe", "cscript.exe")) or
+
+  /* detect vbs or js files created by any process */
+  file.path : ("C:\\*\\Programs\\Startup\\*.vbs", 
+               "C:\\*\\Programs\\Startup\\*.vbe", 
+               "C:\\*\\Programs\\Startup\\*.wsh", 
+               "C:\\*\\Programs\\Startup\\*.wsf", 
+               "C:\\*\\Programs\\Startup\\*.js")
 '''