From 0b402e2326ac1c31cc0cee6628177b5f9ad24d4b Mon Sep 17 00:00:00 2001
From: Hiroki Suezawa <suezawa@gmail.com>
Date: Tue, 3 Dec 2019 10:36:42 +0900
Subject: [PATCH] rule update: Rename rule for Cloud Metadata access again

Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f967e4d5..d2d87677 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2226,7 +2226,7 @@
 
 # On GCP, AWS and Azure, 169.254.169.254 is a special IP used to fetch
 # metadata about the instance. The metadata could be used to get credentials by attackers.
-- rule: Contact Cloud Instance Metadata Service From Container
+- rule: Contact cloud metadata service from container
   desc: Detect attempts to contact the Cloud Instance Metadata Service from a container
   condition: outbound and fd.sip="169.254.169.254" and container and consider_metadata_access and not user_known_metadata_access
   output: Outbound connection to cloud instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image.repository:%container.image.tag)