diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index a44d7142..c5e60d58 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -451,7 +451,7 @@
     and not proc.cmdline contains /usr/bin/mandb
   output: >
     Sensitive file opened for reading by non-trusted program (user=%user.name name=%proc.name
-    command=%proc.cmdline file=%fd.name)
+    command=%proc.cmdline file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
   priority: WARNING
   tags: [filesystem]
 
@@ -763,7 +763,7 @@
     not proc.cmdline startswith "passwd -S"
   output: >
     User management binary command run outside of container
-    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2])
+    (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3])
   priority: NOTICE
   tags: [host, users]