cleanup(rules): transition rule BPF Program Not Profiled to maturity incubating

rules/falco-incubating_rules.yaml

@@ -1283,4 +1283,25 @@
     (fd.name contains "liblzma.so.5.6.0" or fd.name contains "liblzma.so.5.6.1")
   output: SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline (process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: WARNING
-  tags: [maturity_incubating, host, container]
+  tags: [maturity_incubating, host, container, mitre_initial_access, T1556]
+
+- list: bpf_profiled_binaries
+  items: [falco, bpftool, systemd]
+
+- macro: bpf_profiled_procs
+  condition: (proc.name in (bpf_profiled_binaries))
+
+- rule: BPF Program Not Profiled
+  desc: > 
+    BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This 
+    rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. 
+    However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the 
+    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=BPF_PROG_LOAD) in the enter event. If you also want to log 
+    whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
+  condition: >
+    evt.type=bpf and evt.dir=> 
+    and evt.arg.cmd=BPF_PROG_LOAD
+    and not bpf_profiled_procs
+  output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
+  priority: NOTICE
+  tags: [maturity_incubating, host, container, mitre_persistence, TA0003]

rules/falco-sandbox_rules.yaml

@@ -1706,27 +1706,6 @@
   priority: WARNING
   tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]
 
-- list: bpf_profiled_binaries
-  items: [falco, bpftool, systemd]
-
-- macro: bpf_profiled_procs
-  condition: (proc.name in (bpf_profiled_binaries))
-
-- rule: BPF Program Not Profiled
-  desc: > 
-    BPF is a kernel technology that can be misused for malicious purposes, like "Linux Kernel Module Injection". This 
-    rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. 
-    However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the 
-    time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log 
-    whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field.
-  condition: >
-    evt.type=bpf and evt.dir=> 
-    and evt.arg.cmd=BPF_PROG_LOAD
-    and not bpf_profiled_procs
-  output: BPF Program Not Profiled (bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)
-  priority: NOTICE
-  tags: [maturity_sandbox, host, container, mitre_persistence, TA0003]
-
 - list: known_decode_payload_containers
   items: []