diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 2f7b5fe9..63871eb9 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -324,7 +324,7 @@
   condition: fd.name in (/dev/log, /run/systemd/journal/syslog)
 
 - list: cron_binaries
-  items: [anacron, cron, crond]
+  items: [anacron, cron, crond, crontab]
 
 # https://github.com/liske/needrestart
 - list: needrestart_binaries