diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
index 7c4950e..6d6b92a 100644
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -208,7 +208,7 @@ WHERE
     )
     OR (
       p1_name = 'ssh'
-      AND p0_cmd LIKE 'gcloud.py compute start-iap-tunnel%'
+      AND p0_cmd LIKE '%gcloud.py compute start-iap-tunnel%'
     )
     OR exception_key IN (
       'bash,0,pia-daemon,launchd',