diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3c0cf030..5c4865c8 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -629,6 +629,9 @@
   condition: (proc.cmdline startswith "python /opt/datadog-agent"
               and fd.name startswith "/etc/dd-agent")
 
+- macro: curl_writing_pki_db
+  condition: (proc.name=curl and fd.directory=/etc/pki/nssdb)
+
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
 # programs writing below specific directories below
@@ -683,6 +686,7 @@
     and not dmeventd_writing_lvm_archive
     and not ovsdb_writing_openvswitch
     and not datadog_writing_conf
+    and not curl_writing_pki_db
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session