diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
index 98448907c3f..bdcf85a086b 100644
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -689,3 +689,13 @@ trace_files: !mux
     rules_file:
       - rules/detect_connect_using_in.yaml
     trace_file: trace_files/connect_localhost.scap
+
+  syscalls:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/syscalls.yaml
+    detect_counts:
+      - syscall_madvise: 2
+      - syscall_open: 2
+    trace_file: trace_files/syscall.scap
diff --git a/test/rules/syscalls.yaml b/test/rules/syscalls.yaml
new file mode 100644
index 00000000000..b984e15a336
--- /dev/null
+++ b/test/rules/syscalls.yaml
@@ -0,0 +1,11 @@
+- rule: detect_madvise
+  desc: Detect any call to madvise
+  condition: evt.type=madvise and evt.dir=<
+  output: A madvise syscall was seen (command=%proc.cmdline evt=%evt.type)
+  priority: INFO
+
+- rule: detect_open
+  desc: Detect any call to open
+  condition: evt.type=open and evt.dir=< and fd.name=/dev/null
+  output: An open syscall was seen (command=%proc.cmdline evt=%evt.type file=%fd.name)
+  priority: INFO
diff --git a/test/trace_files/syscall.scap b/test/trace_files/syscall.scap
new file mode 100644
index 00000000000..90dc870a392
Binary files /dev/null and b/test/trace_files/syscall.scap differ