diff --git a/10_process_access/include_office_process_creation.xml b/10_process_access/include_office_process_creation.xml
new file mode 100644
index 00000000..52060bbe
--- /dev/null
+++ b/10_process_access/include_office_process_creation.xml
@@ -0,0 +1,14 @@
+<Sysmon schemaversion="4.30">
+  <!-- Capture all hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <ProcessAccess onmatch="include">
+        <Rule name="Office Process Creation" groupRelation="and">
+          <SourceImage condition="contains all">C:\Program Files;\Microsoft Office\Root\Office</SourceImage>
+          <CallTrace condition="contains">C:\Windows\System32\KERNELBASE.dll+76516</CallTrace>
+        </Rule>
+      </ProcessAccess>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>
diff --git a/12_13_14_registry_event/include_windows_secureboot.xml b/12_13_14_registry_event/include_windows_secureboot.xml
new file mode 100644
index 00000000..d72ec147
--- /dev/null
+++ b/12_13_14_registry_event/include_windows_secureboot.xml
@@ -0,0 +1,11 @@
+<Sysmon schemaversion="4.30">
+  <!-- Capture all hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <RegistryEvent onmatch="include">
+        <TargetObject condition="begin with">HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State</TargetObject>
+      </RegistryEvent>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>
diff --git a/17_18_pipe_event/include_psexec.xml b/17_18_pipe_event/include_psexec.xml
index ab19452d..062779b1 100644
--- a/17_18_pipe_event/include_psexec.xml
+++ b/17_18_pipe_event/include_psexec.xml
@@ -3,7 +3,11 @@
     <RuleGroup name="" groupRelation="or">
       <PipeEvent onmatch="include">
         <PipeName name="technique_id=T1021.002,technique_name=SMB/Windows Admin Shares" condition="begin with">\PSEXESVC</PipeName>
+        <Rule name="Potential PSExec_psh Activity" groupRelation="and">
+          <Image name="PSExec_psh" condition="contains any">ADMIN$;C$;IPC$</Image>
+          <Image name="PSExec_psh" condition="contains any">.exe;.dll</Image>
+        </Rule>
       </PipeEvent>
     </RuleGroup>
   </EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>
diff --git a/7_image_load/exclude_zoom.xml b/7_image_load/exclude_zoom.xml
new file mode 100644
index 00000000..3f4a9d8a
--- /dev/null
+++ b/7_image_load/exclude_zoom.xml
@@ -0,0 +1,20 @@
+<Sysmon schemaversion="4.30">
+  <!-- Capture all hashes -->
+  <HashAlgorithms>*</HashAlgorithms>
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <ImageLoad onmatch="exclude">
+        <Rule groupRelation="and">
+          <ImageLoaded condition="contains all">C:\Users\;\AppData\Roaming\Zoom\bin\;dll</ImageLoaded>
+          <Image condition="begin with">C:\Windows\System32\</Image>
+          <Company condition="contains">Zoom Video Communications</Company>
+        </Rule>
+        <Rule groupRelation="and">
+          <ImageLoaded condition="contains all">C:\Users\;\AppData\Roaming\Zoom\bin\;dll</ImageLoaded>
+          <Image condition="contains all">C:\Users\;\AppData\Roaming\Zoom\bin\;exe</Image>
+          <Company condition="contains">Zoom Video Communications</Company>
+        </Rule>
+      </ImageLoad>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>