diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml
index c7284e082..1982b9c30 100644
--- a/rules_building_block/collection_posh_compression.toml
+++ b/rules_building_block/collection_posh_compression.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/08/18"
 
 
 [rule]
@@ -63,7 +63,7 @@ event.category:process and host.os.type:windows and
     "ZipArchiveMode"
   ) or
   powershell.file.script_block_text : "Compress-Archive"
-)
+) and not file.path : *ProgramData*Microsoft*Windows*Defender*Advanced*Threat*Protection*DataCollection*
 '''
 
 
diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml
index 8daa00ca5..dbe5e6cf7 100644
--- a/rules_building_block/defense_evasion_generic_deletion.toml
+++ b/rules_building_block/defense_evasion_generic_deletion.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/13"
+updated_date = "2023/08/16"
 
 [rule]
 author = ["Elastic"]
@@ -33,7 +33,12 @@ process where host.os.type == "windows" and event.type == "start" and
   (process.name: "reg.exe" and process.args:"delete") or 
   (
     process.name: "cmd.exe" and process.args: ("*rmdir*", "*rm *", "rm") and
-    not process.args : ("*\\AppData\\Local\\Microsoft\\OneDrive\\*", "*\\AppData\\Local\\Temp\\DockerDesktop\\*")
+    not process.args : (
+          "*\\AppData\\Local\\Microsoft\\OneDrive\\*",
+          "*\\AppData\\Local\\Temp\\DockerDesktop\\*",
+          "*\\AppData\\Local\\Temp\\Report.*",
+          "*\\AppData\\Local\\Temp\\*.PackageExtraction"
+    )
   ) or
   (process.name: "powershell.exe" and process.args: ("*rmdir", "rm", "rd", "*Remove-Item*", "del", "*]::Delete(*"))
 ) and not user.id : "S-1-5-18"
diff --git a/rules_building_block/discovery_generic_process_discovery.toml b/rules_building_block/discovery_generic_process_discovery.toml
index 2929a9e7f..bdeade136 100644
--- a/rules_building_block/discovery_generic_process_discovery.toml
+++ b/rules_building_block/discovery_generic_process_discovery.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/13"
+updated_date = "2023/08/16"
 
 [rule]
 author = ["Elastic"]
@@ -29,13 +29,12 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
   (
-   process.name == "reg.exe" and process.args : "query" or
-   (process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
-    (process.args: ("*Get-ChildItem*", "*Get-Item*", "*Get-ItemProperty*") and
-     process.args : (
-      "*HKLM*", "*HKCU*", "*HKEY_LOCAL_MACHINE*", "*HKEY_CURRENT_USER*", "Registry::"
-   )))
-  )
+    process.name :("PsList.exe", "qprocess.exe") or 
+   (process.name : "powershell.exe" and process.args : ("*get-process*", "*Win32_Process*")) or 
+   (process.name : "wmic.exe" and process.args : ("process", "*Win32_Process*")) or
+   (process.name : "tasklist.exe" and not process.args : ("pid eq*")) or
+   (process.name : "query.exe" and process.args : "process")
+  ) and not user.id : "S-1-5-18"
 '''
 
 
diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml
index a4e6dc5ac..26cda1b53 100644
--- a/rules_building_block/discovery_posh_generic.toml
+++ b/rules_building_block/discovery_posh_generic.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/26"
+updated_date = "2023/08/16"
 
 
 [rule]
@@ -133,7 +133,15 @@ event.category:process and host.os.type:windows and
       )
     )
   ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
-  and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)
+  and not file.path : (
+            *WindowsPowerShell*Modules*.psd1 or
+            *WindowsPowerShell*Modules*.psm1 or 
+            "C:\\Program Files\\Microsoft Azure AD Sync\\Extensions\\AADConnector.psm1"
+          )
+  and not (file.path : (
+            *Windows*TEMP*SDIAG* or
+            *WINDOWS*TEMP*SDIAG* or
+            *windows*TEMP*SDIAG*) and file.name : "CL_Utility.ps1")
 '''