diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 50b63efa..bc3c1ced 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2550,7 +2550,7 @@
   condition: (fd.sport in (miner_ports) and fd.sip.name in (miner_domains))
 
 - macro: net_miner_pool
-  condition: (outbound and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
+  condition: (evt.type in (sendto, sendmsg) and evt.dir=< and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
 - rule: Detect outbound connections to common miner pool ports
   desc: Miners typically connect to miner pools on common ports.