diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9a8a72a6..7ee4ab4a 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1952,12 +1952,18 @@
   priority: INFO
   tags: [users, mitre_remote_access_tools]
 
+# In some cases, a shell is expected to be run in a container. For example, configuration
+# management software may do this, which is expected.
+- macro: user_expected_terminal_shell_in_container_conditions
+  condition: (never_true)
+
 - rule: Terminal shell in container
   desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
   condition: >
     spawned_process and container
     and shell_procs and proc.tty != 0
     and container_entrypoint
+    and not user_expected_terminal_shell_in_container_conditions
   output: >
     A shell was spawned in a container with an attached terminal (user=%user.name %container.info
     shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)