cleanup(rules): adjust output fields wrt new style guide round1

https://falco.org/docs/rules/style-guide/

Signed-off-by: Melissa Kilby <[email protected]>

rules/falco_rules.yaml

@@ -381,7 +381,7 @@
   desc: Detect any new ssh connection to a host other than those in an allowed group of hosts
   condition: (inbound_outbound) and ssh_port and not allowed_ssh_hosts
   enabled: false
-  output: Disallowed SSH Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: NOTICE
   tags: [maturity_sandbox, host, container, network, mitre_command_and_control, mitre_lateral_movement, T1021.004]
 
@@ -411,7 +411,7 @@
      (fd.snet in (allowed_outbound_destination_networks)) or
      (fd.sip.name in (allowed_outbound_destination_domains)))
   enabled: false
-  output: Disallowed outbound connection destination (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed outbound connection destination (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name  namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: NOTICE
   tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
 
@@ -432,7 +432,7 @@
      (fd.cnet in (allowed_inbound_source_networks)) or
      (fd.cip.name in (allowed_inbound_source_domains)))
   enabled: false
-  output: Disallowed inbound connection source (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
+  output: Disallowed inbound connection source (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: NOTICE
   tags: [maturity_sandbox, host, container, network, mitre_command_and_control, TA0011]
 
@@ -474,8 +474,7 @@
     and not proc.name in (shell_binaries)
     and not exe_running_docker_save
     and not user_known_shell_config_modifiers
-  output: >
-    a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
+  output: A shell configuration file has been modified (file=%fd.name pcmdline=%proc.pcmdline user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     WARNING
   tags: [maturity_incubating, host, container, filesystem, mitre_persistence, T1546.004]
@@ -491,8 +490,7 @@
      fd.directory in (shell_config_directories)) and
     (not proc.name in (shell_binaries))
   enabled: false
-  output: >
-    a shell configuration file was read by a non-shell program (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid file=%fd.name container_id=%container.id image=%container.image.repository)
+  output: A shell configuration file was read by a non-shell program (file=%fd.name user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     WARNING
   tags: [maturity_sandbox, host, container, filesystem, mitre_discovery, T1546.004]
@@ -507,9 +505,7 @@
      (spawned_process and proc.name = "crontab")) and
     not user_known_cron_jobs
   enabled: false
-  output: >
-    Cron jobs were scheduled to run (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid
-    file=%fd.name container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
+  output: Cron jobs were scheduled to run (file=%fd.name user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     NOTICE
   tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1053.003]
@@ -886,8 +882,7 @@
     and not package_mgmt_ancestor_procs
     and not exe_running_docker_save
     and not user_known_update_package_registry
-  output: >
-    Repository files get updated (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid pcmdline=%proc.pcmdline file=%fd.name newpath=%evt.arg.newpath container_id=%container.id image=%container.image.repository)
+  output: Repository files get updated (newpath=%evt.arg.newpath file=%fd.name pcmdline=%proc.pcmdline user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     NOTICE
   tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1072]
@@ -907,9 +902,7 @@
     and not python_running_get_pip
     and not python_running_ms_oms
     and not user_known_write_below_binary_dir_activities
-  output: >
-    File below a known binary directory opened for writing (user=%user.name user_loginuid=%user.loginuid
-    command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
+  output: File below a known binary directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: ERROR
   tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543]
 
@@ -962,9 +955,7 @@
     and not google_accounts_daemon_writing_ssh
     and not cloud_init_writing_ssh
     and not user_known_write_monitored_dir_conditions
-  output: >
-    File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid
-    command=%proc.cmdline pid=%proc.pid file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository)
+  output: File below a monitored directory opened for writing (file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: ERROR
   tags: [maturity_sandbox, host, container, filesystem, mitre_persistence, T1543]
 
@@ -979,11 +970,7 @@
     This rule includes failed file open attempts.
   condition: (open_read or open_file_failed) and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains "id_rsa") and directory_traversal and not proc.pname in (shell_binaries)
   enabled: true
-  output: >
-    Read monitored file via directory traversal (user=%user.name uid=%user.uid user_loginuid=%user.loginuid 
-    process=%proc.name proc_exepath=%proc.exepath command=%proc.cmdline pid=%proc.pid parent=%proc.pname 
-    file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] 
-    terminal=%proc.tty container_id=%container.id image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
+  output: Read monitored file via directory traversal (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags image=%container.image.repository image_tag=%container.image.tag container_name=%container.name namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: WARNING
   tags: [maturity_stable, host, container, filesystem, mitre_credential_access, T1555]