diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml
index 83a45eb7e..15640d92d 100644
--- a/rules/windows/discovery_system_service_discovery.toml
+++ b/rules/windows/discovery_system_service_discovery.toml
@@ -30,7 +30,7 @@ process where host.os.type == "windows" and event.type == "start" and
   ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
   ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or
   ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc")
-  )
+  ) and not user.id : "S-1-5-18"
 '''
 
 [[rule.threat]]
diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml
index 7f29c8c8e..8489b4981 100644
--- a/rules/windows/discovery_system_time_discovery.toml
+++ b/rules/windows/discovery_system_time_discovery.toml
@@ -29,7 +29,7 @@ process where host.os.type == "windows" and event.type == "start" and
  ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or 
  (process.name: "w32tm.exe" and process.args: "/tz") or 
  (process.name: "tzutil.exe" and process.args: "/g")
-)
+) and not user.id : "S-1-5-18"
 '''
 
 [[rule.threat]]