diff --git a/tests/data/rules/legacy.go b/tests/data/rules/legacy.go
index c02035a..3ca52e9 100644
--- a/tests/data/rules/legacy.go
+++ b/tests/data/rules/legacy.go
@@ -2319,7 +2319,7 @@ var LegacyFalcoRules_v1_0_1 = run.NewStringFileAccessor(
     # https://github.com/draios/sysdig/issues/954). So in that case, allow
     # a setuid.
     - macro: known_user_in_container
-      condition: (container and not user.name in ("<NA>","N/A"))
+      condition: (container and not user.name in ("<NA>","N/A",""))
     
     # Add conditions to this macro (probably in a separate file,
     # overwriting this macro) to allow for specific combinations of
diff --git a/tests/falco/legacy_test.go b/tests/falco/legacy_test.go
index 1905f9b..75326b0 100644
--- a/tests/falco/legacy_test.go
+++ b/tests/falco/legacy_test.go
@@ -2628,9 +2628,7 @@ func TestFalco_Legacy_NonSudoSetuid(t *testing.T) {
 		falco.WithArgs("-o", "json_include_output_property=false"),
 		falco.WithArgs("-o", "json_include_tags_property=false"),
 	)
-	assert.NotZero(t, res.Detections().Count())
-	assert.NotZero(t, res.Detections().OfPriority("NOTICE").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Non sudo setuid").Count())
+	assert.Zero(t, res.Detections().Count())
 	assert.NoError(t, res.Err(), "%s", res.Stderr())
 	assert.Equal(t, 0, res.ExitCode())
 }