diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template
index 096921618..5f1c6961a 100644
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -11,6 +11,12 @@ hive_proxies:
   http: ''
   https: ''
 
+hive_observable_data_mapping:
+  - ip: '{match[osquery][EndpointIP1]}'
+  - ip: '{match[osquery][EndpointIP2]}'
+  - other: '{match[osquery][hostIdentifier]}'
+  - other: '{match[osquery][hostname]}'
+
 hive_alert_config:
   title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
   type: 'osquery'
@@ -23,9 +29,4 @@ hive_alert_config:
   follow: True
   caseTemplate: '5000'
   
-  
-  hive_observable_data_mapping:
-  - ip: '{match[osquery][EndpointIP1]}'
-  - ip: '{match[osquery][EndpointIP2]}'
-  - other: '{match[osquery][hostIdentifier]}'
-  - other: '{match[osquery][hostname]}'
+