diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 7ee4ab4a..56d9f5a6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -861,7 +861,8 @@
 - macro: exe_running_docker_save
   condition: >
     proc.name = "exe"
-    and proc.cmdline contains "/var/lib/docker"
+    and (proc.cmdline contains "/var/lib/docker"
+    or proc.cmdline contains "/var/run/docker")
     and proc.pname in (dockerd, docker)
 
 # Ideally we'd have a length check here as well but sysdig