diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
index 7ec07f8..e09c899 100644
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -248,6 +248,7 @@ WHERE
     )
     OR exception_key IN (
       'bash,0,auditd,launchd',
+      'sh,0,expect,kandji-daemon',
       'bash,0,etcd,containerd-shim-runc-v2',
       'bash,0,kube-apiserver,containerd-shim-runc-v2',
       'bash,0,mutter-x11-frames,gnome-shell',