rule(list known_system_procs_network_activity_binaries): add a list of known procs for convenience

This makes it more convenient to add more allowed procs and many other
rules have a similar mechanism to whitelist certain processes.

Signed-off-by: Nicolas Marier <nmarier@coveo.com>

rules/falco_rules.yaml

@@ -2007,7 +2007,7 @@
   condition: >
     (fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)))
     and (inbound_outbound)
-    and not proc.name in (systemd, hostid, id)
+    and not proc.name in (known_system_procs_network_activity_binaries)
     and not login_doing_dns_lookup
   output: >
     Known system binary sent/received network traffic
@@ -2015,6 +2015,11 @@
   priority: NOTICE
   tags: [network, mitre_exfiltration]
 
+# This list allows easily whitelisting system proc names that are
+# expected to communicate on the network.
+- list: known_system_procs_network_activity_binaries
+  items: [systemd, hostid, id]
+
 # When filled in, this should look something like:
 # (proc.env contains "HTTP_PROXY=http://my.http.proxy.com ")
 # The trailing space is intentional so avoid matching on prefixes of