diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 15250ae3..30047dae 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -494,6 +494,10 @@
       proc.cmdline="groupadd sumologic_collector") and
      (proc.pname=secureFiles.sh and proc.aname[2]=java))
 
+- macro: run_by_yum
+  condition: ((proc.pname=sh and proc.aname[2]=yum) or
+              (proc.aname[2]=sh and proc.aname[3]=yum))
+
 # Chef is similar.
 - macro: run_by_chef
   condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr or
@@ -1214,7 +1218,8 @@
     not proc.cmdline startswith "useradd -D" and
     not proc.cmdline startswith "systemd --version" and
     not run_by_qualys and
-    not run_by_sumologic_securefiles
+    not run_by_sumologic_securefiles and
+    not run_by_yum
   output: >
     User management binary command run outside of container
     (user=%user.name command=%proc.cmdline parent=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4])