diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql
index 37763f9..c1e46e3 100644
--- a/detection/c2/unexpected-https-linux.sql
+++ b/detection/c2/unexpected-https-linux.sql
@@ -160,6 +160,7 @@ WHERE
     '500,gnome-recipes,0u,0g,gnome-recipes',
     '500,gnome-shell,0u,0g,gnome-shell',
     '500,gnome-software,0u,0g,gnome-software',
+    '0,go,0u,0g,go',
     '500,go,0u,0g,go',
     '500,go,500u,500g,go',
     '500,goa-daemon,0u,0g,goa-daemon',
diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
index 72f018b..96fe2fb 100644
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@@ -123,6 +123,7 @@ WHERE
     '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
+    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
     '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
     '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
     '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
@@ -147,6 +148,7 @@ WHERE
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
     '500,chainctl,chainctl,0u,0g',
+    '500,git,git,0u,500g',
     '500,chainctl,chainctl,500u,20g',
     '500,chainlink,chainlink,500u,20g',
     '500,aws,aws,0u,0g',
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 2fe64e0..b4f192a 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -198,6 +198,7 @@ WHERE
     '80,6,500,spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,spotify,u,g,spotify',
     '80,6,500,steam,500u,100g,steam',
+    '80,6,500,java,0u,0g,java',
     '80,6,500,steam,500u,500g,steam',
     '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
     '80,6,500,terraform,0u,0g,terraform',
@@ -271,6 +272,12 @@ WHERE
     exception_key = '32768,6,500,ssh,0u,0g,ssh'
     AND s.remote_port = 40022
   )
+  -- Qualys
+  AND NOT (
+    exception_key = '80,6,0,curl,0u,0g,curl'
+    AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'
+    AND child_cmd LIKE ' curl -sS -H Metadata:true http://169.254.169.254/metadata/instance%'
+  )
   AND NOT (
     s.remote_port = 80
     AND (
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index f55fc82..efbd7b0 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -185,7 +185,7 @@ WHERE
   AND NOT (
     (
       pos.remote_port IN (80, 999)
-      OR pos.remote_port > 3000
+      OR pos.remote_port > 1024
     )
     AND id_exception_key IN (
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql
index 8e2a5aa..1446b87 100644
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@@ -150,6 +150,7 @@ WHERE
     'grype',
     'idea',
     'Install',
+    'terraform-provider-apko',
     'java',
     'jetbrains-toolb',
     'launcher',
diff --git a/detection/evasion/hidden-home-config-dir.sql b/detection/evasion/hidden-home-config-dir.sql
index 00a4a11..6e9363b 100644
--- a/detection/evasion/hidden-home-config-dir.sql
+++ b/detection/evasion/hidden-home-config-dir.sql
@@ -38,3 +38,4 @@ WHERE
   AND file.path NOT LIKE '/root/.debug/.build-id/%'
   AND file.path NOT LIKE '/home/%/.config/%/.git%'
   AND file.path NOT LIKE '/home/%/.config/.gsd-keyboard.settings-ported'
+  AND file.path NOT LIKE '/home/%/.config/.org.chromium.Chromium.%'
diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql
index bc72626..602e9e2 100644
--- a/detection/execution/recently-created-executables-long-lived-macos.sql
+++ b/detection/execution/recently-created-executables-long-lived-macos.sql
@@ -194,6 +194,10 @@ WHERE
     AND p0.path NOT LIKE '%/.%'
     AND p0.path NOT LIKE '%Cache%'
   )
+  AND NOT homepath LIKE '~/%/terraform-provider-%'
+  AND NOT homepath LIKE '~/src/%'
+  AND NOT homepath LIKE '~/github/%'
+  AND NOT homepath LIKE '~/go/src/%'
   -- Arc
   AND NOT (
     p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'
diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql
index 2278343..cc1d436 100644
--- a/detection/execution/unexpected-fetcher-parents.sql
+++ b/detection/execution/unexpected-fetcher-parents.sql
@@ -52,6 +52,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,500,nvim,nvim',
     'curl,307,bash,nix',
     'curl,500,bash,bash',
+    'curl,0,sh,qualys-scan-uti',
     'curl,500,bash,fakeroot',
     'curl,500,bash,fish',
     'curl,500,bash,nix-daemon',
diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql
index 2c97c97..25a3085 100644
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@@ -103,6 +103,7 @@ WHERE
       OR p1_cmd LIKE '%aws %sso%'
       OR p1_cmd LIKE '%gcloud% auth %login%'
       OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
+      OR p1_cmd LIKE '/bin/sh %/opt/homebrew/bin/git-gui%'
       OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'
       OR p1_name IN ('yubikey-agent')
       OR (
@@ -117,6 +118,5 @@ WHERE
     'osascript -e user locale of (get system info)',
     '/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges'
   )
-
 GROUP BY
   pe.pid
diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
index 58a3361..62e4f13 100644
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@@ -60,9 +60,9 @@ WHERE
     'cargo',
     'chrome',
     'clamscan',
-    'dnf',
     'code',
     'com.apple.NRD.UpdateBrainService',
+    'dnf',
     'docker',
     'electron',
     'emacs',
@@ -102,6 +102,7 @@ WHERE
     'spotify',
     'steam',
     'systemd',
+    'terraform-provider-apko',
     'thunderbird',
     'tilt',
     'unattended-upgr',
diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
index df03456..3376bd7 100644
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -198,6 +198,7 @@ WHERE
       '/bin/bash /usr/local/bin/mount-product-files',
       '/bin/sh -c black .',
       '/bin/sh -c lsb_release -a --short',
+      '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
       '/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
       '/bin/sh -c scutil --get ComputerName',
       "/bin/sh -c defaults delete 'com.cisco.webexmeetingsapp'",
@@ -250,6 +251,7 @@ WHERE
       'bash,500,com.docker.dev-envs,com.docker.backend',
       'bash,500,Foxit PDF Reader,launchd',
       'bash,500,script,bash',
+      'sh,500,LogiTune,launchd',
       'bash,500,docker-builder,bash',
       'bash,500,Hyprland,gdm-wayland-session',
       'bash,500,gnome-session-binary,systemd',
diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql
index ae81225..317adc4 100644
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@@ -49,6 +49,7 @@ WHERE
     'mov',
     'mp3',
     'mp4',
+    'Dockerfile',
     'mpeg',
     'mpg',
     'ods',
diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql
index 09c6220..42bb674 100644
--- a/detection/persistence/unexpected-chrome-extensions.sql
+++ b/detection/persistence/unexpected-chrome-extensions.sql
@@ -7,7 +7,8 @@
 --   * Almost unlimited: any extension that isn't on your whitelist
 --
 -- tags: persistent seldom browser
-SELECT name,
+SELECT
+  name,
   profile,
   chrome_extensions.description AS 'descr',
   persistent AS persists,
@@ -28,11 +29,13 @@ SELECT name,
     identifier
   ) AS exception_key,
   hash.sha256
-FROM users
+FROM
+  users
   CROSS JOIN chrome_extensions USING (uid)
   LEFT JOIN file ON chrome_extensions.path = file.path
   LEFT JOIN hash ON chrome_extensions.path = hash.path
-WHERE (
+WHERE
+  (
     -- These extensions need the most review.
     from_webstore != 'true'
     OR perms LIKE '%google.com%'
@@ -48,6 +51,7 @@ WHERE (
   AND exception_key NOT IN (
     -- Deprecated Google Extension
     'false,AgileBits,1Password – Password Manager,dppgmdbiimibapkepcbdbmkaabgiofem',
+    'false,,Sigstore close post-auth tabs,',
     'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
     'false,,base64 encode or decode selected text,',
     'false,,Edge relevant text changes,jmjflgjpcpepeafmmgdpfkogkghcpiha',
@@ -220,4 +224,5 @@ WHERE (
     'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
     'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
   )
-GROUP BY exception_key
\ No newline at end of file
+GROUP BY
+  exception_key
diff --git a/detection/persistence/unexpected-lock-opener.sql b/detection/persistence/unexpected-lock-opener.sql
index 233b261..26efba3 100644
--- a/detection/persistence/unexpected-lock-opener.sql
+++ b/detection/persistence/unexpected-lock-opener.sql
@@ -61,6 +61,7 @@ WHERE
   AND NOT exception_key IN (
     '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
     '0,snapd,/var/lib/snapd',
+    '120,gnome-shell,/run/user/120',
     '200,NRDUpdated,/private~/SplunkHistory',
     '200,softwareupdated,/private~/SplunkHistory',
     '500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db',
diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql
index 270e4c7..1c0c3e6 100644
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@@ -294,6 +294,7 @@ WHERE -- Focus on longer-running programs
     'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
     'Developer ID Application: Foxit Corporation (8GN47HTP75)',
     'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
+    'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
     'Developer ID Application: Google LLC (EQHXZ8M8AV)',
     'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
     'Developer ID Application: Keybase, Inc. (99229SGT5K)',
diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql
index 43642b4..d8b8d5e 100644
--- a/detection/privesc/unexpected-elevated-children-events_macos.sql
+++ b/detection/privesc/unexpected-elevated-children-events_macos.sql
@@ -7,7 +7,7 @@
 -- related:
 --   * unexpected-privilege-escalation.sql
 --
--- tags: events process escalation
+-- tags: events process escalation disabled
 -- platform: darwin
 -- interval: 300
 SELECT -- Child
@@ -113,6 +113,7 @@ WHERE
     'amfid,0,com.docker.backend,Docker',
     'biometrickitd,0,LogiTune,launchd',
     'bioutil,0,callservicesd,launchd',
+    'com.apple.geod,0,fmfd,launchd',
     'trustd,205,trustd,launchd',
     'CAReportingService,0,LogiTune,launchd',
     'efilogin-helper,0,containermanagerd,launchd',