diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml
index c95a4d27..30bb782f 100644
--- a/rules/linux/auditd/lnx_auditd_web_rce.yml
+++ b/rules/linux/auditd/lnx_auditd_web_rce.yml
@@ -1,18 +1,26 @@
-title: Webshell/RCE command execute detect status: experimental description: Posible command execute detect on web application/web shell
+title: Webshell/RCE command execute detect
+status: experimental
+description: Posible command execute detect on web application/web shell
 # You need to add to the config auditd.conf: 
-# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www 
-# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www 
-# change 33 to id you webserver user. default: 
-#www-data:x:33:33
+# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
+# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
+# change 33 to id you webserver user. default: www-data:x:33:33
 tags:
-    - attack.persistence references:
-    - personal experience author: Beyu Denis, oscd.community date: 2019/10/21 logsource:
+    - attack.persistence
+references:
+    - personal experience
+author: Beyu Denis, oscd.community
+date: 2019/10/12
+logsource:
     product: linux
-    service: auditd detection:
+    service: auditd
+detection:
     selection:
         type: 'SYSCALL'
         SYSCALL: 'execve'
         key: 'detect_execve_www'
-    condition: selection falsepositives:
+    condition: selection
+falsepositives:
     - Admin activity
-    - Crazy web applications level: critical
+    - Crazy web applications
+level: critical
\ No newline at end of file