From 055864e7300975febfaddb26b86d97dc0dfb6217 Mon Sep 17 00:00:00 2001
From: Emanuel <222579485+EFA006@users.noreply.github.com>
Date: Mon, 9 Mar 2026 13:12:11 +0100
Subject: [PATCH 1/2] Refine expression for Boot/Kernel Configuration rule

Replaced file.type with event.category as not all beats are logging file.type.

Additionally some logical issues.
---
 rules/detection/high/linux.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json
index ae67ada..a8001b5 100644
--- a/rules/detection/high/linux.json
+++ b/rules/detection/high/linux.json
@@ -1,7 +1,7 @@
 [
   {
     "title": "Boot/Kernel Configuration Modified",
-    "expression": "(event.type == 'change' && file.type == 'file') || contains(file.path || '', '/etc/sysctl.d/') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', 'lib/modules/')",
+    "expression": "contains(event.category, 'file') && contains(event.type, 'change') && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))",
     "severity": "high",
     "type": "auditbeat"
   }

From 83c37177553625e3fdab630d8fe3aac8d14449de Mon Sep 17 00:00:00 2001
From: Emanuel <222579485+EFA006@users.noreply.github.com>
Date: Mon, 9 Mar 2026 13:18:43 +0100
Subject: [PATCH 2/2] Update expression for Boot/Kernel Configuration rule

---
 rules/detection/high/linux.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json
index a8001b5..4a41fd8 100644
--- a/rules/detection/high/linux.json
+++ b/rules/detection/high/linux.json
@@ -1,7 +1,7 @@
 [
   {
     "title": "Boot/Kernel Configuration Modified",
-    "expression": "contains(event.category, 'file') && contains(event.type, 'change') && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))",
+    "expression": "event.category == 'file' && event.type == 'change' && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))",
     "severity": "high",
     "type": "auditbeat"
   }