diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
index 7237b42e7..47c2fb748 100644
--- a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
+++ b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"
 
 [rule]
 author = ["Elastic"]
@@ -99,8 +99,14 @@ event.category:network and host.os.type:macos and event.action:connection_attemp
     *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or
     *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or
     *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com or
-    *.cartocdn.com or *.chatgpt.com or *.ggpht.com or *.recaptcha.net or *.shields.io or
-    *.travis-ci.com or *.travis-ci.org or *.ytimg.com or flagcdn.com or opencollective.com
+    *.cartocdn.com or *.chatgpt.com or *.claude.ai or *.claude.com or
+    *.claudeusercontent.com or *.ggpht.com or *.gstatic.com or *.googleusercontent.com or
+    *.launchpadcontent.net or *.pythonhosted.org or *.recaptcha.net or *.shields.io or
+    *.snapcraftcontent.com or *.snapcraft.io or *.stripe.com or *.travis-ci.com or
+    *.travis-ci.org or *.ubuntu.com or *.ytimg.com or
+    *.github.io or *.githubassets.com or *.jsdelivr.net or *.nodesource.com or
+    chatgpt.com or claude.ai or claude.com or flagcdn.com or gitlab.com or
+    opencollective.com or pypi.org
 ))
 '''
 
diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
index c8610e180..70427bd61 100644
--- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
+++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"
 
 [rule]
 author = ["Elastic"]
@@ -131,7 +131,8 @@ file where event.action in ("open", "creation", "modification") and event.outcom
   ) and not (
     host.os.type == "windows" and
     process.name : ("claude.exe", "Claude") and
-    file.path : "?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State"
+    file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
+                 "?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
   )
 '''
 
diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml
index 29402f51e..812702a98 100644
--- a/rules/cross-platform/defense_evasion_genai_config_modification.toml
+++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"
 
 [rule]
 author = ["Elastic"]
@@ -86,11 +86,17 @@ file.path : (
     */.moltbot/* or */AppData/Roaming/Moltbot/* or
     */.config/openclaw/*
 ) and not (
-  file.extension : (lck or lock) or
+  file.extension : (lck or lock or log or png or marker) or
+  file.name : .DS_Store or
+  file.path : (
+    */.claude/cache/* or
+    */.claude/statsig/* or
+    */.codex/log/* or
+    */.codex/sessions/*
+  ) or
   (
     file.path : */.config/github-copilot/* and 
     file.name : (apps.json or versions.json or copilot*nitrite.db)
-    
   )
 )
 '''
diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml
index 065549e22..919bf5982 100644
--- a/rules/cross-platform/execution_openclaw_agent_child_process.toml
+++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml
@@ -2,7 +2,7 @@
 creation_date = "2026/02/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/02"
+updated_date = "2026/03/10"
 
 [rule]
 author = ["Elastic"]
@@ -75,7 +75,9 @@ query = '''
 process where event.type == "start" and
   process.parent.name : ("node", "node.exe") and 
   process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and
-   process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe")
+   process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe") and
+   not process.command_line in ("/bin/sh -c ip neigh show", "/usr/bin/sh -c ip neigh show",
+                                "/bin/sh -c arp -a -n -l", "/usr/bin/sh -c arp -a -n -l")
 '''