diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml
index 7e8ea0e16..35e82ab87 100644
--- a/rules/linux/defense_evasion_chattr_immutable_file.toml
+++ b/rules/linux/defense_evasion_chattr_immutable_file.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/26"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
   process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
-  not process.parent.executable: "/lib/systemd/systemd"
+  not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*")
 '''
 
 
diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml
index 21001ce16..58a2e7406 100644
--- a/rules/linux/persistence_etc_file_creation.toml
+++ b/rules/linux/persistence_etc_file_creation.toml
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/26"
 integration = ["endpoint"]
 
 [rule]
@@ -31,7 +31,7 @@ query = '''
 file where host.os.type == "linux" and event.type == "creation" and user.name == "root" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
 and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
- "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system")
+ "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor")
 '''
 
 [[rule.threat]]