diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 0d96c832..ab813f3a 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -379,6 +379,9 @@
 - macro: run_by_chef
   condition: (proc.aname[2]=chef_command_wr or proc.aname[3]=chef_command_wr)
 
+- macro: run_by_puppet
+  condition: (proc.aname[2]=puppet or proc.aname[3]=puppet)
+
 - macro: run_by_h2o
   condition: (proc.pname=perl and proc.aname[2]=h2o)
 
@@ -616,6 +619,7 @@
     and not parent_node_running_npm
     and not parent_java_running_sbt
     and not run_by_chef
+    and not run_by_puppet
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3])