diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 69824276417..2341adcf93d 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -490,9 +490,10 @@
   tags: [container, shell]
 
 # sockfamily ip is to exclude certain processes (like 'groups') that communicate on unix-domain sockets
+# systemd can listen on ports to launch things like sshd on demand
 - rule: System procs network activity
   desc: any network activity performed by system binaries that are not expected to send or receive any network traffic
-  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound)
+  condition: (fd.sockfamily = ip and system_procs) and (inbound or outbound) and not proc.name=systemd
   output: "Known system binary sent/received network traffic (user=%user.name command=%proc.cmdline connection=%fd.name)"
   priority: NOTICE
   tags: [network]