diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 67e1b327a67..d687a08a075 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -536,7 +536,7 @@
   condition: >
     kevt 
     and non_system_user 
-    and ka.user.name in (admin_k8s_users) 
+    and ka.user.name in (full_admin_k8s_users)
     and not allowed_full_admin_users
   output: K8s Operation performed by full admin user (user=%ka.user.name target=%ka.target.name/%ka.target.resource verb=%ka.verb uri=%ka.uri resp=%ka.response.code)
   priority: WARNING