diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 6a53d2fe..52a27b28 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2007,7 +2007,7 @@
   condition: >
     (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)))
     and (inbound_outbound)
-    and not proc.name in (systemd, hostid, id)
+    and not proc.name in (known_system_procs_network_activity_binaries)
     and not login_doing_dns_lookup
   output: >
     Known system binary sent/received network traffic
@@ -2015,6 +2015,11 @@
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
+# This list allows easily whitelisting system proc names that are
+# expected to communicate on the network.
+- list: known_system_procs_network_activity_binaries
+  items: [systemd, hostid, id]
+
 # When filled in, this should look something like:
 # (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ")
 # The trailing space is intentional so avoid matching on prefixes of