Fix query syntax for shared object detection rule

Aegrah · web-flow · commit ad4f34528e38 · 2025-12-18T12:59:59.000+01:00
diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml
@@ -108,7 +108,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.type == "creation" and
-(file.extension:"so" or file.name:*.so.*) and file.name : ".*.so" and
+(file.extension == "so" or file.name like "*.so.*") and file.name : ".*.so" and
 not process.name in ("dockerd", "azcopy", "podman", "opencode") and not file.name like "._*"
 '''
 
