diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json
index ae67ada..4a41fd8 100644
--- a/rules/detection/high/linux.json
+++ b/rules/detection/high/linux.json
@@ -1,7 +1,7 @@
 [
   {
     "title": "Boot/Kernel Configuration Modified",
-    "expression": "(event.type == 'change' && file.type == 'file') || contains(file.path || '', '/etc/sysctl.d/') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', 'lib/modules/')",
+    "expression": "event.category == 'file' && event.type == 'change' && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))",
     "severity": "high",
     "type": "auditbeat"
   }