diff --git a/falco/rules.d/egress.yaml b/falco/rules.d/egress.yaml
new file mode 100644
index 0000000..360da4e
--- /dev/null
+++ b/falco/rules.d/egress.yaml
@@ -0,0 +1,20 @@
+- rule: Log Established Connections Privileged
+  desc: Log process name, user, egress IP for established connections by privileged processes
+  condition: >
+    evt.type=connect and evt.dir=< and check_privileged
+  output: >
+    {"event_type": "privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
+  priority: INFO
+  tags: [network, process]
+
+- rule: Log Established Connections Non-Privileged
+  desc: Log process name, user, egress IP for established connections by non-privileged processes
+  condition: >
+    evt.type=connect and evt.dir=< and not check_privileged
+  output: >
+    {"event_type": "non_privileged_connection", "process_name": "%proc.name", "user_name": "%user.name", "egress_ip": "%fd.sip"}
+  priority: INFO
+  tags: [network, process]
+
+- macro: check_privileged
+  condition: (user.uid=0 or user.name=root)
\ No newline at end of file