diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
index 47c2fb748..e981de9b9 100644
--- a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
+++ b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/10"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -81,8 +81,7 @@ event.category:network and host.os.type:macos and event.action:connection_attemp
     "Windsurf Helper (Plugin)" or bunx or claude or codex or copilot or cursor or deno or
     gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or
     llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn
-  ) or
-  (process.name:(node or node.exe) and process.command_line:(*openclaw* or *moltbot* or *clawdbot*))
+  )
 ) and destination.domain:(* and not (
     aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or
     gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or
diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
index 0fd82fbd9..039d214cb 100644
--- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
+++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/04/21"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -101,11 +101,7 @@ file where event.action in ("open", "creation", "modification") and event.outcom
         "zed.exe", "zed",
         "opencode.exe", "opencode",
         "goose.exe", "goose"
-      ) or
-      // OpenClaw/Moltbot/Clawdbot family via Node.js
-      (process.name in~ ("node", "node.exe") and
-       process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*",
-                                   "*nemoclaw*", "*nanoclaw*", "*picoclaw*"))
+      )
     ) and
 
   // Sensitive file paths