diff --git a/detection/execution/yara-unexpected-miner-process.sql b/detection/execution/yara-unexpected-miner-process.sql
index e8946c94..2625a995 100644
--- a/detection/execution/yara-unexpected-miner-process.sql
+++ b/detection/execution/yara-unexpected-miner-process.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule miner {
     strings:
@@ -54,4 +64,4 @@ WHERE
     condition:
         filesize < 10MB and 1 of them
 }'
-  AND yara.count > 0
\ No newline at end of file
+  AND yara.count > 0
diff --git a/detection/execution/yara-unexpected-upx-process.sql b/detection/execution/yara-unexpected-upx-process.sql
index ffe5aff9..5e4d0472 100644
--- a/detection/execution/yara-unexpected-upx-process.sql
+++ b/detection/execution/yara-unexpected-upx-process.sql
@@ -39,7 +39,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule upx {
     strings:
@@ -48,4 +58,4 @@ WHERE
     condition:
         $upx_sig in (0..1024)
     }'
-  AND yara.count > 0
\ No newline at end of file
+  AND yara.count > 0
diff --git a/detection/exfil/yara-exec-connect-process-linux.sql b/detection/exfil/yara-exec-connect-process-linux.sql
index 0c23c822..589677da 100644
--- a/detection/exfil/yara-exec-connect-process-linux.sql
+++ b/detection/exfil/yara-exec-connect-process-linux.sql
@@ -42,9 +42,18 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
-  AND
-  yara.sigrule = '    
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
+  AND yara.sigrule = '    
     rule syscalls {
     strings:
         $inet_ntoa = "inet_ntoa"
diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql
index a3922e86..2eb9f2f7 100644
--- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql
+++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 3600)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 3600)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule cryptexec {
     strings:
diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
index b9b2a1dc..c7ce85e9 100644
--- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql
+++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@@ -38,7 +38,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule http_exec {
     strings:
diff --git a/detection/persistence/yara-libtomcrypt-process.sql b/detection/persistence/yara-libtomcrypt-process.sql
index 31b6e988..18d79ba4 100644
--- a/detection/persistence/yara-libtomcrypt-process.sql
+++ b/detection/persistence/yara-libtomcrypt-process.sql
@@ -42,14 +42,23 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 3600)
-  AND
-  yara.sigrule = '    
-    rule redflags {
-    strings:
-        $libtomcrypt = "LibTomCrypt"
-        $email = "tomstdenis@gmail.com"
-    condition:
-        filesize < 10MB and 1 of them
-}'
-  AND yara.count > 0
\ No newline at end of file
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 3600)
+      AND path != ""
+    GROUP BY
+      path
+  )
+  AND yara.sigrule = '    
+      rule redflags {
+      strings:
+          $libtomcrypt = "LibTomCrypt"
+          $email = "tomstdenis@gmail.com"
+      condition:
+          filesize < 10MB and 1 of them
+  }'
+  AND yara.count > 0
diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql
index 37751a7d..c225d967 100644
--- a/detection/persistence/yara-suspicious-strings-process-linux.sql
+++ b/detection/persistence/yara-suspicious-strings-process-linux.sql
@@ -42,7 +42,17 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p0.start_time > (strftime('%s', 'now') - 7200)
+  p0.pid IN (
+    SELECT
+      pid
+    FROM
+      processes
+    WHERE
+      start_time > (strftime('%s', 'now') - 7200)
+      AND path != ""
+    GROUP BY
+      path
+  )
   AND yara.sigrule = '    
     rule redflags {
     strings: