diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 8bd1709e..c3a4bfbc 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -344,7 +344,8 @@
 
 - macro: splunk_running_forwarder
   condition: >
-    (proc.pname=splunkd and proc.cmdline startswith "sh -c /opt/splunkforwarder")
+    (proc.pname=splunkd and proc.cmdline startswith
+     "sh -c /opt/splunkforwarder")
 
 - macro: perl_running_plesk
   condition: >
@@ -389,29 +390,29 @@
     System directories like /etc are typically accessed via absolute paths.
     Access patterns outside of this (here path traversal) can be regarded as
     suspicious. This rule includes failed file open attempts.
-condition: >
-  (
-    open_read or open_file_failed
-  )
-  and (
-    etc_dir or user_ssh_directory or
-    fd.name startswith /root/.ssh or
-    fd.name contains "id_rsa"
-  )
-  and directory_traversal
-  and not proc.pname in (shell_binaries)
-
-  enabled: true
-  output: Read monitored file via directory traversal
-    (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
-    ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
-    user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
-    process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
-    command=%proc.cmdline terminal=%proc.tty %container.info)
-
-  priority: WARNING
-  tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
-         T1555]
+  condition: >
+    (
+      open_read or open_file_failed
+    )
+    and (
+      etc_dir or user_ssh_directory or
+      fd.name startswith /root/.ssh or
+      fd.name contains "id_rsa"
+    )
+    and directory_traversal
+    and not proc.pname in (shell_binaries)
+
+    enabled: true
+    output: Read monitored file via directory traversal
+      (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
+      ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
+      user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
+      process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname
+      command=%proc.cmdline terminal=%proc.tty %container.info)
+
+    priority: WARNING
+    tags: [maturity_stable, host, container, filesystem, mitre_credential_access,
+          T1555]
 
 - macro: cmp_cp_by_passwd
   condition: (proc.name in (cmp, cp) and proc.pname in (passwd, run-parts))