diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
index e9eba1d10..5df226990 100644
--- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
+++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
@@ -14,7 +14,7 @@ logsource:
     product: linux
 detection:
     selection:
-        '|contains': 'bpf_probe_write_user'
+        - 'bpf_probe_write_user'
     condition: selection
 falsepositives:
     - Unknown