Update rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml

Aegrah · web-flow · commit 69903737c7bc · 2025-12-01T11:08:56.000+01:00
diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
@@ -44,7 +44,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
   (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--") or
   (process.name == "docker" and process.args == "run")
 ) and 
