fix(incubating_rules): revert #508

[LucaGuerra]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-incubating

What this PR does / why we need it:

In https://github.com/falcosecurity/rules/pull/208 we changed the type of the cmd argument to a flag type because of changes in https://github.com/falcosecurity/libs/pull/1545 , however the libs PR was only modifying the exit event, while this rule refers to the enter event which is still an INT64, thus we still need to use the value 5 for this event. I noticed this during a conversation with @incertum .

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 6a0922b6879c309f75bc82e644f2e9918310f7cc with latest tag falco-incubating-rules-4.0.0

Patch changes:

• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields

[poiana]

LGTM label has been added.

Git tree hash: 70cc2fad124907902448783fa9a806dc51f084bf

[incertum]

/hold

[incertum]

@LucaGuerra mind also updating the description?

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing c2e6007b0de8268dda3cb4f3da33f858ca774568 with latest tag falco-incubating-rules-4.0.0

Patch changes:

• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields

[poiana]

LGTM label has been added.

Git tree hash: 4a03117c5fb4a724568384a70987799fb08cec5a

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: incertum, loresuso, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[rules/OWNERS](https://github.com/falcosecurity/rules/blob/main/rules/OWNERS)~~ [LucaGuerra,incertum,loresuso] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 42bf4c83e67e7565174e6fd76d33ac82b16c4018 with latest tag falco-incubating-rules-4.0.0

Patch changes:

• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields