diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 4e411648..13cb0e68 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -345,7 +345,8 @@
 
 - macro: trusted_containers
   condition: (container.image startswith sysdig/agent or
-              container.image startswith sysdig/falco or
+              (container.image startswith sysdig/falco and
+               not container.image startswith sysdig/falco-event-generator) or
               container.image startswith sysdig/sysdig or
               container.image startswith gcr.io/google_containers/hyperkube or
               container.image startswith gcr.io/google_containers/kube-proxy)
diff --git a/test/falco_test.py b/test/falco_test.py
index d6ce9b87..afb7c4f8 100644
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -56,6 +56,16 @@ class FalcoTest(Test):
         for rule in self.disabled_rules:
             self.disabled_args = self.disabled_args + "-D " + rule + " "
 
+        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        if self.detect_counts == False:
+            self.detect_counts = {}
+        else:
+            detect_counts = {}
+            for item in self.detect_counts:
+                for item2 in item:
+                    detect_counts[item2[0]] = item2[1]
+            self.detect_counts = detect_counts
+
         self.rules_warning = self.params.get('rules_warning', '*', default=False)
         if self.rules_warning == False:
             self.rules_warning = sets.Set()
@@ -161,6 +171,23 @@ class FalcoTest(Test):
                     if not events_detected > 0:
                         self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))
 
+    def check_detections_by_rule(self, res):
+        # Get the number of events detected for each rule. Must match the expected counts.
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
+        if match is None:
+            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+
+        triggered_rules = match.group(1)
+
+        for rule, count in self.detect_counts.iteritems():
+            expected_line = '{}: {}'.format(rule, count)
+            match = re.search(expected_line, triggered_rules)
+
+            if match is None:
+                self.fail("Could not find a line '{}' in triggered rule counts '{}'".format(expected_line, triggered_rules))
+            else:
+                self.log.debug("Found expected count for {}: {}".format(rule, match.group()))
+
     def check_outputs(self):
         for output in self.outputs:
             # Open the provided file and match each line against the
@@ -222,6 +249,8 @@ class FalcoTest(Test):
         if len(self.rules_events) > 0:
             self.check_rules_events(res)
         self.check_detections(res)
+        if len(self.detect_counts) > 0:
+            self.check_detections_by_rule(res)
         self.check_json_output(res)
         self.check_outputs()
         pass
diff --git a/test/falco_tests.yaml.in b/test/falco_tests.yaml.in
index a973e8fe..977b7d4c 100644
--- a/test/falco_tests.yaml.in
+++ b/test/falco_tests.yaml.in
@@ -181,3 +181,22 @@ trace_files: !mux
     trace_file: trace_files/cat_write.scap
     outputs:
       - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+
+  detect_counts:
+    detect: True
+    detect_level: WARNING
+    trace_file: traces-positive/falco-event-generator.scap
+    detect_counts:
+      - "Write below binary dir": 1
+      - "Read sensitive file untrusted": 3
+      - "Run shell in container": 1
+      - "Write below rpm database": 1
+      - "Write below etc": 1
+      - "System procs network activity": 1
+      - "Mkdir binary dirs": 1
+      - "System user interactive": 1
+      - "DB program spawned process": 1
+      - "Non sudo setuid": 1
+      - "Create files below dev": 1
+      - "Modify binary dirs": 2
+      - "Change thread namespace": 2