diff --git a/Osquery/200200-osquery.xml b/Osquery/200200-osquery.xml
index a79c210..f5bfe75 100644
--- a/Osquery/200200-osquery.xml
+++ b/Osquery/200200-osquery.xml
@@ -617,7 +617,7 @@
   <!-- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_user_discovery.yml -->
   <rule id="200287" level="12">
   <if_sid>200223</if_sid>
-  <field name="columns.cmdline">users|w|who</field>
+  <field name="columns.cmdline">^users$|^w$|^who$</field>
   <description>Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</description>
   <options>no_full_log</options>
   <mitre>