From f42eb77f299f400ca7527ecd91ef653b68d15a31 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 25 Jan 2023 12:03:11 +0100
Subject: [PATCH] fix: rule logic

---
 rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
index e9eba1d10..5df226990 100644
--- a/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
+++ b/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml
@@ -14,7 +14,7 @@ logsource:
     product: linux
 detection:
     selection:
-        '|contains': 'bpf_probe_write_user'
+        - 'bpf_probe_write_user'
     condition: selection
 falsepositives:
     - Unknown