diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json
index 4a41fd8..85cff99 100644
--- a/rules/detection/high/linux.json
+++ b/rules/detection/high/linux.json
@@ -1,7 +1,7 @@
 [
   {
     "title": "Boot/Kernel Configuration Modified",
-    "expression": "event.category == 'file' && event.type == 'change' && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))",
+    "expression": "contains(to_string(event.category), 'file') && contains(to_string(event.type), 'change') && (contains(to_string(file.path), '/etc/sysctl') || contains(to_string(file.path), '/etc/modules-load.d/') || contains(to_string(file.path), '/etc/modprobe.d/') || contains(to_string(file.path), '/etc/default/grub') || contains(to_string(file.path), '/lib/modules/'))",
     "severity": "high",
     "type": "auditbeat"
   }