diff --git a/test/falco_tests_plugins.yaml b/test/falco_tests_plugins.yaml
index d79bdd81..1a105f6e 100644
--- a/test/falco_tests_plugins.yaml
+++ b/test/falco_tests_plugins.yaml
@@ -103,4 +103,20 @@ trace_files: !mux
       - Cloudtrail Create Instance
     stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
 
+  no_plugins_unknown_source_macro:
+    detect: False
+    rules_file:
+      - rules/plugins/cloudtrail_macro.yaml
+    trace_file: trace_files/empty.scap
+    stderr_contains: "Macro Some Cloudtrail Macro: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
+  no_plugins_unknown_source_rule_exception:
+    detect: False
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances_exceptions.yaml
+    trace_file: trace_files/empty.scap
+    rules_warning:
+      - Cloudtrail Create Instance
+    stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
 
diff --git a/test/rules/plugins/cloudtrail_create_instances_exceptions.yaml b/test/rules/plugins/cloudtrail_create_instances_exceptions.yaml
new file mode 100644
index 00000000..885a371d
--- /dev/null
+++ b/test/rules/plugins/cloudtrail_create_instances_exceptions.yaml
@@ -0,0 +1,9 @@
+- rule: Cloudtrail Create Instance
+  desc: Detect Creating an EC2 Instance
+  condition: evt.num > 0 and ct.name="StartInstances"
+  output: EC2 Instance Created (evtnum=%evt.num info=%evt.plugininfo id=%ct.id user name=%json.value[/userIdentity/userName])
+  exceptions:
+  - name: user_secreid
+    fields: [aws.user, aws.region]
+  priority: INFO
+  source: aws_cloudtrail
diff --git a/test/rules/plugins/cloudtrail_macro.yaml b/test/rules/plugins/cloudtrail_macro.yaml
new file mode 100644
index 00000000..009d8a39
--- /dev/null
+++ b/test/rules/plugins/cloudtrail_macro.yaml
@@ -0,0 +1,4 @@
+- macro: Some Cloudtrail Macro
+  condition: aws.user=bob
+  source: aws_cloudtrail
+