diff --git a/incident_response/memory_map.sql b/incident_response/memory_map.sql
index 141eb18..307e795 100644
--- a/incident_response/memory_map.sql
+++ b/incident_response/memory_map.sql
@@ -1,7 +1,7 @@
 -- Returns the OS memory region map.
 --
 -- tags: postmortem
--- platform: posix
+-- platform: linux
 SELECT
   *
 FROM
diff --git a/incident_response/process_open_pipes.sql b/incident_response/process_open_pipes.sql
index 6cc6bfd..2ede95c 100644
--- a/incident_response/process_open_pipes.sql
+++ b/incident_response/process_open_pipes.sql
@@ -1,7 +1,7 @@
 -- Return the list of open pipes per process
 --
 -- tags: postmortem
--- platform: posix
+-- platform: macos
 SELECT
   p.path AS p_path,
   p.name AS p_name,
diff --git a/incident_response/processes-root-not-apple-macos.sql b/incident_response/processes-root-not-apple-macos.sql
index 67fc41e..14b28db 100644
--- a/incident_response/processes-root-not-apple-macos.sql
+++ b/incident_response/processes-root-not-apple-macos.sql
@@ -1,7 +1,7 @@
 -- Programs running as root from unusual signers on macOS
 --
 -- platform: darwin
--- tags: transient often process state
+-- tags: transient process
 -- Canonical example of including process parents from process_events
 SELECT
   p.*,
@@ -10,10 +10,13 @@ FROM
   processes p
   LEFT JOIN signature s ON p.path = s.path
 WHERE
-  p.euid = 0
-  AND p.path NOT LIKE "/System/%"
-  AND p.path NOT LIKE "/Library/Apple/%"
-  AND p.path NOT LIKE "/usr/bin/%"
-  AND p.path NOT LIKE "/usr/libexec/%"
-  AND p.path NOT LIKE "/usr/sbin/%"
+  p.pid IN (
+    SELECT pid FROM processes WHERE
+    p.euid = 0
+    AND p.path NOT LIKE "/System/%"
+    AND p.path NOT LIKE "/Library/Apple/%"
+    AND p.path NOT LIKE "/usr/bin/%"
+    AND p.path NOT LIKE "/usr/libexec/%"
+    AND p.path NOT LIKE "/usr/sbin/%"
+  )
   AND s.authority NOT IN ('Software Signing')
\ No newline at end of file
diff --git a/incident_response/shared_memory.sql b/incident_response/shared_memory.sql
index 0106ca6..fd8c10a 100644
--- a/incident_response/shared_memory.sql
+++ b/incident_response/shared_memory.sql
@@ -1,7 +1,7 @@
 -- Return shared memory info
 --
 -- tags: postmortem
--- platform: posix
+-- platform: linux
 SELECT
   shm.*,
   p.name AS p_name,