updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

rules/falco-deprecated_rules.yaml

@@ -32,6 +32,7 @@
 
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
+---
 
 - required_engine_version: '0.31.0'
 

rules/falco-sandbox_rules.yaml

@@ -32,6 +32,7 @@
 
 # Starting with version 8, the Falco engine supports exceptions.
 # However the Falco rules file does not use them by default.
+---
 
 - required_engine_version: 0.35.0
 

rules/falco_rules.yaml

@@ -403,7 +403,8 @@
     and not proc.pname in (shell_binaries)
 
   enabled: true
-    output: Read monitored file via directory traversal
+    output: >
+      Read monitored file via directory traversal
       (file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2]
       ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type
       user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid
@@ -1460,8 +1461,8 @@
     proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline
     terminal=%proc.tty %container.info)
   priority: NOTICE
-  tags: >
-    [maturity_stable, host, container, process, mitre_defense_evasion, T1622]
+  tags: [
+    maturity_stable, host, container, process, mitre_defense_evasion, T1622]
 
 - macro: private_aws_credentials
   condition: >
@@ -1607,7 +1608,7 @@
     user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath
     parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
   priority: NOTICE
-  tags: [ 
+  tags: [
     maturity_stable, host, container, network, process, mitre_execution, T1059
   ]
 
@@ -1639,4 +1640,4 @@
   priority: CRITICAL
   tags: [
     maturity_stable, host, container, process, mitre_defense_evasion, T1620
-  ]  
+  ]