Need documentation for Selective Override (Falco PR# 2981)

[mikegcoleman]

/area documentation

What would you like to be added:
Need documentation for falcosecurity/falco#2981

Why is this needed:

[incertum]

@tspearconquest just out of curiosity, would you be interested in helping us with this?

[tspearconquest]

Hello, I would like to but I'm afraid I don't/won't have cycles.

[LucaGuerra]

Additional comments re. what we need documented:

The description of the feature is here: falcosecurity/falco#1340 (comment) .

In addition there are extra details coming from the PR description:

• if you specify the override key you must specify all the fields that you wish to override and only those fields
• it is an error to specify both append: true and any override.
• the rule must be defined before any override in the rule loading order

The page where I'd suggest this information to live is: https://falco.org/docs/rules/appending/ . In addition, we need to document that the older way of overriding rules is deprecated in favor of this unified way (cc @mikegcoleman )

[Andreagit97]

for what concern deprecations as i wrote here falcosecurity/falco#2992 (comment), this new feature add 2 main deprecations:

1. 'append' key is deprecated. Add an 'append' entry (e.g. 'condition: append') under 'override' instead.
2. The standalone 'enabled' key usage is deprecated. The correct approach requires also a 'replace' entry under the 'override' key (i.e. 'enabled: replace').

[LucaGuerra]

/assign @mikegcoleman