diff --git a/fd/unexpected-dev-opener.sql b/fd/unexpected-dev-opener.sql
index b711c85..de51e97 100644
--- a/fd/unexpected-dev-opener.sql
+++ b/fd/unexpected-dev-opener.sql
@@ -29,6 +29,7 @@ WHERE pof.path LIKE '/dev/%'
         '/dev/vga_arbiter',
         '/dev/tty'
     )
+    AND NOT pof.path LIKE '/dev/hidraw%'
     AND NOT pof.path LIKE '/dev/ttys%'
     AND NOT pof.path LIKE '/dev/pts/%'
     AND NOT pof.path LIKE '/dev/snd/pcm%'
@@ -36,7 +37,6 @@ WHERE pof.path LIKE '/dev/%'
     AND NOT pof.path LIKE '/dev/shm/.com.google.%'
     AND NOT pof.path LIKE '/dev/shm/.org.chromium.%'
     AND NOT pof.path LIKE '/dev/shm/wayland.mozilla.%'
-    AND NOT (device LIKE '/dev/hidraw%' AND p.name IN ('chrome', 'depmod'))
     AND NOT (device LIKE '/dev/shm/.%' AND p.name = 'firefox')
     AND NOT (device LIKE "/dev/video%" AND p.name IN ('chrome', 'firefox', 'obs', 'ffmpeg', 'obs-ffmpeg-mux', 'ffmpeg-mux', 'vlc'))
     AND NOT (
@@ -115,6 +115,7 @@ WHERE pof.path LIKE '/dev/%'
             '/System/Library/Frameworks/GSS.framework/Helpers/GSSCred',
             '/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd',
             '/usr/libexec/TouchBarServer',
+            '/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm',
             '/usr/sbin/securityd'
         )
     )
diff --git a/fd/unexpected-pcap-user.sql b/fd/unexpected-pcap-user.sql
index 22458b2..428689a 100644
--- a/fd/unexpected-pcap-user.sql
+++ b/fd/unexpected-pcap-user.sql
@@ -8,10 +8,20 @@ SELECT pmm.pid,
 FROM process_memory_map pmm
     JOIN processes p ON pmm.pid = p.pid
 WHERE pmm.path LIKE "%libpcap%"
-AND euid=0
-AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
-AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
-AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
-AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
-AND proc_cmd NOT IN ('/nix/var/nix/profiles/default/bin/nix-daemon', '/run/current-system/systemd/lib/systemd/systemd', '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid')
-GROUP BY pmm.pid
+    AND euid = 0
+    AND proc_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd"
+    AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-journald"
+    AND proc_path NOT LIKE "/nix/store/%-systemd-%/lib/systemd/systemd-logind"
+    AND proc_path NOT LIKE "/nix/store/%-systemd-%/bin/udevadm"
+    AND proc_path NOT LIKE "/System/Library/%"
+    AND proc_path NOT IN (
+        '/usr/libexec/UserEventAgent',
+        '/usr/sbin/systemstats',
+        '/usr/sbin/cupsd'
+    )
+    AND proc_cmd NOT IN (
+        '/nix/var/nix/profiles/default/bin/nix-daemon',
+        '/run/current-system/systemd/lib/systemd/systemd',
+        '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid'
+    )
+GROUP BY pmm.pid
\ No newline at end of file
diff --git a/process/name_path_mismatch.sql b/process/name_path_mismatch.sql
index a2263bd..df6f03c 100644
--- a/process/name_path_mismatch.sql
+++ b/process/name_path_mismatch.sql
@@ -6,6 +6,7 @@ FROM processes p
     JOIN file f ON p.path = f.path
 WHERE SUBSTR(f.filename, 0, 8) != SUBSTR(p.name, 0, 8)
 AND NOT (p.name='gjs' AND filename='gjs-console')
+AND NOT (p.name='gnome-character' AND filename='gjs-console')
 AND NOT (p.name='mysqld' AND filename='mariadbd')
 AND NOT (p.name='tmux:client' AND filename='tmux')
 AND NOT (p.name='tmux:server' AND filename='tmux')
diff --git a/process/parent-missing-from-disk.sql b/process/parent-missing-from-disk.sql
index 48da6ba..b0fb46d 100644
--- a/process/parent-missing-from-disk.sql
+++ b/process/parent-missing-from-disk.sql
@@ -17,3 +17,4 @@ FROM processes p
 WHERE pp.on_disk != 1
 AND p.pid > 2
 AND pp.pid != 2 -- kthreadd
+AND pp.path NOT IN ('/opt/google/chrome/chrome')
\ No newline at end of file
diff --git a/process/unusual-fetcher.sql b/process/sketchy-fetcher.sql
similarity index 91%
rename from process/unusual-fetcher.sql
rename to process/sketchy-fetcher.sql
index 54ed513..0e70c2f 100644
--- a/process/unusual-fetcher.sql
+++ b/process/sketchy-fetcher.sql
@@ -40,6 +40,8 @@ WHERE
     p.cmdline LIKE "%curl %:9%" OR
     p.cmdline LIKE "%curl %--user-agent%" OR
     p.cmdline LIKE "%curl -fsSL%" OR
+    p.cmdline LIKE "%curl -k%" OR
+    p.cmdline LIKE "%curl%--insecure%" OR
     p.cmdline LIKE "%wget %/.%" OR
     p.cmdline LIKE "%wget %.0%" OR
     p.cmdline LIKE "%wget %.1%" OR
@@ -54,4 +56,5 @@ WHERE
     p.cmdline LIKE "%wget %--user-agent%" OR
     p.cmdline LIKE "%wget %--no-check-certificate%"
 )
-AND parent_name NOT IN ('makepkg')
\ No newline at end of file
+AND parent_name NOT IN ('makepkg')
+AND parent_cmdline NOT LIKE "%brew.rb upgrade"
\ No newline at end of file
diff --git a/process/unexpected-executable-directory.sql b/process/unexpected-executable-directory.sql
index c910453..412502e 100644
--- a/process/unexpected-executable-directory.sql
+++ b/process/unexpected-executable-directory.sql
@@ -85,5 +85,6 @@ WHERE directory NOT LIKE '/Applications/%.app/%'
         '/usr/lib64/firefox/firefox'
     )
     AND directory NOT LIKE '/Library/Application Support/Adobe/%'
+    AND directory NOT LIKE '/Library/Developer/CommandLineTools/Library/%'
     AND directory NOT LIKE '/Library/%/%.bundle/Contents/Helpers'
     AND NOT (directory='' AND name LIKE "runc%")
\ No newline at end of file