diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
index 9aa0bf3f6..de4178c3b 100644
--- a/rules/linux/execution_abnormal_process_id_file_created.toml
+++ b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/24"
+updated_date = "2023/04/25"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,7 @@ type = "eql"
 query = '''
 /* add file size filters when data is available */
 file where host.os.type == "linux" and event.type == "creation" and user.id == "0" and
-    file.path regex~ """/var/run/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and
+    file.path regex~ """(/var/run|/run)/\w+\.(pid|lock|reboot)""" and file.extension in ("pid","lock","reboot") and
 
     /* handle common legitimate files */