diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml
index 215cdd56c..075a03e4b 100644
--- a/rules/linux/defense_evasion_chattr_immutable_file.toml
+++ b/rules/linux/defense_evasion_chattr_immutable_file.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/12/12"
+updated_date = "2024/01/11"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "linux" and event.type == "start" and user.name == "root" and
+process where host.os.type == "linux" and event.type == "start" and user.id == "0" and
   process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and
   not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") and
   not process.parent.name in ("systemd", "cf-agent", "ntpdate", "xargs", "px", "preinst", "auth")
diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml
index 54f1ac72c..ad779245f 100644
--- a/rules/linux/persistence_etc_file_creation.toml
+++ b/rules/linux/persistence_etc_file_creation.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/12/13"
+updated_date = "2024/01/11"
 
 [transform]
 [[transform.osquery]]
@@ -202,7 +202,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and
+file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*",
 "/usr/lib/systemd/system/*") and not (
   (process.executable : (