diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 9bd7afa0..a9da9ea0 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -1406,6 +1406,9 @@
 - macro: runc_writing_var_lib_docker
   condition: (proc.cmdline="runc:[1:CHILD] init" and evt.arg.filename startswith /var/lib/docker)
 
+- macro: mysqlsh_writing_state
+  condition: (proc.name=mysqlsh and fd.directory=/root/.mysqlsh)
+
 - rule: Write below root
   desc: an attempt to write to any file directly below / or /root
   condition: >
@@ -1426,6 +1429,7 @@
     and not calico_writing_state
     and not rancher_writing_root
     and not runc_writing_exec_fifo
+    and not mysqlsh_writing_state
     and not known_root_conditions
     and not user_known_write_root_conditions
     and not user_known_write_below_root_activities