From 5713f696128a8d4ea731590da7f575a7149b2781 Mon Sep 17 00:00:00 2001 From: Emanuel <222579485+EFA006@users.noreply.github.com> Date: Mon, 9 Mar 2026 13:23:41 +0100 Subject: [PATCH 1/3] Update expression for Boot/Kernel Configuration rule --- rules/detection/high/linux.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json index 4a41fd8..efcf22e 100644 --- a/rules/detection/high/linux.json +++ b/rules/detection/high/linux.json @@ -1,7 +1,7 @@ [ { "title": "Boot/Kernel Configuration Modified", - "expression": "event.category == 'file' && event.type == 'change' && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))", + "expression": "(contains(event.category, 'file') && contains(event.type, 'change')) && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))", "severity": "high", "type": "auditbeat" } From 2925aa930b581722f36f094e10c252d949798954 Mon Sep 17 00:00:00 2001 From: Emanuel <222579485+EFA006@users.noreply.github.com> Date: Mon, 9 Mar 2026 14:13:02 +0100 Subject: [PATCH 2/3] Update expression to use to_string for file paths --- rules/detection/high/linux.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json index efcf22e..0c3f97f 100644 --- a/rules/detection/high/linux.json +++ b/rules/detection/high/linux.json @@ -1,7 +1,7 @@ [ { "title": "Boot/Kernel Configuration Modified", - "expression": "(contains(event.category, 'file') && contains(event.type, 'change')) && (contains(file.path || '', '/etc/sysctl') || contains(file.path || '', '/etc/modules-load.d/') || contains(file.path || '', '/etc/modprobe.d/') || contains(file.path || '', '/etc/default/grub') || contains(file.path || '', '/lib/modules/'))", + "expression": "(to_string(contains(event.category, 'file')) && to_string(contains(event.type, 'change'))) && (contains(to_string(file.path), '/etc/sysctl') || contains(to_string(file.path), '/etc/modules-load.d/') || contains(to_string(file.path), '/etc/modprobe.d/') || contains(to_string(file.path), '/etc/default/grub') || contains(to_string(file.path), '/lib/modules/'))", "severity": "high", "type": "auditbeat" } From 3f988476ec5633546785f12f2d81b135fbc195d8 Mon Sep 17 00:00:00 2001 From: Emanuel <222579485+EFA006@users.noreply.github.com> Date: Mon, 9 Mar 2026 14:39:54 +0100 Subject: [PATCH 3/3] Refactor expression for Boot/Kernel Configuration rule --- rules/detection/high/linux.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/detection/high/linux.json b/rules/detection/high/linux.json index 0c3f97f..85cff99 100644 --- a/rules/detection/high/linux.json +++ b/rules/detection/high/linux.json @@ -1,7 +1,7 @@ [ { "title": "Boot/Kernel Configuration Modified", - "expression": "(to_string(contains(event.category, 'file')) && to_string(contains(event.type, 'change'))) && (contains(to_string(file.path), '/etc/sysctl') || contains(to_string(file.path), '/etc/modules-load.d/') || contains(to_string(file.path), '/etc/modprobe.d/') || contains(to_string(file.path), '/etc/default/grub') || contains(to_string(file.path), '/lib/modules/'))", + "expression": "contains(to_string(event.category), 'file') && contains(to_string(event.type), 'change') && (contains(to_string(file.path), '/etc/sysctl') || contains(to_string(file.path), '/etc/modules-load.d/') || contains(to_string(file.path), '/etc/modprobe.d/') || contains(to_string(file.path), '/etc/default/grub') || contains(to_string(file.path), '/lib/modules/'))", "severity": "high", "type": "auditbeat" }