diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
index f954f6f10..7b037a18b 100644
--- a/rules/linux/execution_abnormal_process_id_file_created.toml
+++ b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -118,7 +118,8 @@ file where event.type == "creation" and user.id == "0" and
     "nginx.pid",
     "dhclient.pid",
     "smtpd.pid",
-    "stunnel.pid"
+    "stunnel.pid",
+    "1_waagent.pid"
     )
 '''