diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml
index 230705365..e9bae72e8 100644
--- a/rules/linux/persistence_etc_file_creation.toml
+++ b/rules/linux/persistence_etc_file_creation.toml
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.action == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd")
+file where event.action == "creation" and user.name == "root" and
+file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
+and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
+ "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system")
 '''
 
 [[rule.threat]]