From 342b20dc7d58b9bc1883c809cbed25f21920e754 Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Fri, 2 Aug 2024 17:48:50 +0200
Subject: [PATCH] update(rule): update description

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 rules/falco-incubating_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
index 864f91f3..cd0e9658 100644
--- a/rules/falco-incubating_rules.yaml
+++ b/rules/falco-incubating_rules.yaml
@@ -1296,7 +1296,7 @@
     BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This 
     rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. 
     However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the 
-    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log 
+    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log 
     whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
   condition: >
     evt.type=bpf and evt.dir=>