diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
index a9a035c1..57694ad3 100644
--- a/rules/falco-sandbox_rules.yaml
+++ b/rules/falco-sandbox_rules.yaml
@@ -407,10 +407,10 @@
   condition: (proc.name in (python, pypy, python3) and
     proc.cmdline contains ansible)
 
-macro: python_running_chef
+- macro: python_running_chef
   condition: >
     (proc.name= python and
-     (proc.cmdline contains yum-dump.py or
+    (proc.cmdline contains yum-dump.py or
       proc.cmdline="python /usr/bin/chef-monitor.py"))
 
 - macro: python_running_denyhosts