From b0565794f5a57efde8a8cc1a8d7a231cf96306c1 Mon Sep 17 00:00:00 2001
From: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
Date: Fri, 19 Nov 2021 09:55:48 +0100
Subject: [PATCH] Move user_known_ingress_remote_file_copy_activities to
 outside condition

Signed-off-by: Erick Cheng <19863605+ec4n6@users.noreply.github.com>
---
 rules/falco_rules.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index f1e3af8f..795ba562 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3109,9 +3109,8 @@
   condition: >
     spawned_process and
     container and
-    ((ingress_remote_file_copy_procs and
-      not user_known_ingress_remote_file_copy_activities) or
-     (curl_download))
+    (ingress_remote_file_copy_procs or curl_download) and
+    not user_known_ingress_remote_file_copy_activities
   output: >
     Ingress remote file copy tool launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
     container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)