diff --git a/changes/issue-8699-fix-rejected-valid-agent-options b/changes/issue-8699-fix-rejected-valid-agent-options
new file mode 100644
index 000000000..6c80cc136
--- /dev/null
+++ b/changes/issue-8699-fix-rejected-valid-agent-options
@@ -0,0 +1 @@
+* Fixed validation of agent options where valid options were being rejected (such as `exclude_paths`).
diff --git a/cmd/fleetctl/apply_test.go b/cmd/fleetctl/apply_test.go
index 261499bb9..22846d087 100644
--- a/cmd/fleetctl/apply_test.go
+++ b/cmd/fleetctl/apply_test.go
@@ -1323,6 +1323,23 @@ spec:
 `,
 			wantErr: `422 Validation Failed: host_percentage must be > 0 to enable the host status webhook`,
 		},
+		{
+			desc: "config with FIM values for agent options (#8699)",
+			spec: `
+apiVersion: v1
+kind: config
+spec:
+  agent_options:
+    config:
+      file_paths:
+        ssh:
+          - /home/%/.ssh/authorized_keys
+      exclude_paths:
+        ssh:
+          - /home/ubuntu/.ssh/authorized_keys
+`,
+			wantOutput: `[+] applied fleet config`,
+		},
 	}
 	// NOTE: Integrations required fields are not tested (Jira/Zendesk) because
 	// they require a complex setup to mock the client that would communicate
diff --git a/server/fleet/agent_options.go b/server/fleet/agent_options.go
index 4b8d96289..b8cc21d8a 100644
--- a/server/fleet/agent_options.go
+++ b/server/fleet/agent_options.go
@@ -81,10 +81,17 @@ type osqueryAgentOptions struct {
 
 	FilePaths    map[string][]string `json:"file_paths"`
 	FileAccesses []string            `json:"file_accesses"`
+	// Documentation for the following 2 fields is "hidden" in osquery's FIM page:
+	// https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
+	FilePathsQuery map[string][]string `json:"file_paths_query"`
+	ExcludePaths   map[string][]string `json:"exclude_paths"`
 
 	YARA struct {
 		Signatures map[string][]string `json:"signatures"`
 		FilePaths  map[string][]string `json:"file_paths"`
+		// Documentation for signature_urls is "hidden" in osquery's YARA page:
+		// https://osquery.readthedocs.io/en/stable/deployment/yara/#retrieving-yara-rules-at-runtime
+		SignatureURLs []string `json:"signature_urls"`
 	} `json:"yara"`
 
 	PrometheusTargets struct {