Update rules/linux/execution_executable_stack_execution.toml

Co-authored-by: Terrance DeJesus <[email protected]>
elastic · Jan 17, 2025 · 99fd11a · 99fd11a
1 parent 80715ec
commit 99fd11a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml
@@ -49,7 +49,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "query"
 query = '''
-host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and
+host.os.type:"linux" and event.dataset:"system.syslog" and process.name:"kernel" and
 message:"started with executable stack"
 '''