diff --git a/Generating-Sample-Events.md b/Generating-Sample-Events.md
index 13e98ff..a984b7c 100644
--- a/Generating-Sample-Events.md
+++ b/Generating-Sample-Events.md
@@ -3,7 +3,7 @@ If you'd like to see if falco is working properly, we've created a test program
 Here's the usage block for the test program:
 
 ```
-Usage /usr/local/bin/event_generator [options]
+Usage event_generator [options]
 
 Options:
      -h/--help: show this help
@@ -32,7 +32,12 @@ Options:
                                                      (used by user_mgmt_binaries below)
           user_mgmt_binaries                         Become the program "vipw", which triggers
                                                      rules related to user management programs
+          exfiltration                               Read /etc/shadow and send it via udp to a
+                                                     specific address and port
           all                                        All of the above
+       The action can also be specified via the environment variable EVENT_GENERATOR_ACTIONS
+           as a colon-separated list
+       if specified, -a/--action overrides any environment variables
      -i/--interval: Number of seconds between actions
      -o/--once: Perform actions once and exit
 ```