diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
index 2ea1bead4..c0df66799 100644
--- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
+++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/22"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/05/04"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,8 @@ event.category:file and event.type:(change or creation) and
               /usr/bin/nautilus or 
               /usr/bin/scp or
               /usr/bin/touch or 
-              /var/lib/docker/*)
+              /var/lib/docker/* or
+              /usr/bin/google_guest_agent)
 '''