diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
index 14e31a872..1b1b59ae5 100644
--- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
+++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -35,11 +35,11 @@ file where event.type in ("change", "creation") and file.extension : "py" and
     ) and
   not process.executable :
     (
-      "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*",
+      "/Applications/Sublime Text*.app/Contents/*",
       "/usr/local/Cellar/git/*/bin/git",
+      "/Library/Developer/CommandLineTools/usr/bin/git",
       "/usr/libexec/xpcproxy",
-      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper",
-      "/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
+      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper"
     )
 '''