new(rules): initial tagging of PCI DSS and NIST related rules

rules/falco_rules.yaml

@@ -1967,7 +1967,7 @@
     and not redhat_image
   output: Privileged container started (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pid=%proc.pid %container.info image=%container.image.repository:%container.image.tag)
   priority: INFO
-  tags: [maturity_incubating, container, cis, mitre_execution, T1610]
+  tags: [maturity_incubating, container, cis, mitre_execution, T1610, PCI_DSS_10.2.5]
 
 # These capabilities were used in the past to escape from containers
 - macro: excessively_capable_container
@@ -2082,7 +2082,7 @@
     parent=%proc.pname command=%proc.cmdline exe_flags=%evt.arg.flags pid=%proc.pid terminal=%proc.tty container_id=%container.id 
     image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority: INFO
-  tags: [maturity_stable, host, container, users, mitre_execution, T1059]
+  tags: [maturity_stable, host, container, users, mitre_execution, T1059, NIST_800-53_AC-2]
 
 # In some cases, a shell is expected to be run in a container. For example, configuration
 # management software may do this, which is expected.
@@ -2515,7 +2515,7 @@
   enabled: false
   output: Unexpected K8s NodePort Connection (command=%proc.cmdline pid=%proc.pid connection=%fd.name container_id=%container.id image=%container.image.repository)
   priority: NOTICE
-  tags: [maturity_sandbox, network, k8s, container, mitre_persistence, T1205.001]
+  tags: [maturity_sandbox, network, k8s, container, mitre_persistence, T1205.001, NIST_800-53_AC-6]
 
 - list: network_tool_binaries
   items: [nc, ncat, netcat, nmap, dig, tcpdump, tshark, ngrep, telnet, mitmproxy, socat, zmap]
@@ -2690,7 +2690,7 @@
     image=%container.image.repository namespace=%k8s.ns.name pod_name=%k8s.pod.name)
   priority:
     WARNING
-  tags: [maturity_stable, host, container, filesystem, mitre_defense_evasion, T1070]
+  tags: [maturity_stable, host, container, filesystem, mitre_defense_evasion, T1070, NIST_800-53_AU-10]
 
 - list: data_remove_commands
   items: [shred, mkfs, mke2fs]
@@ -3065,7 +3065,7 @@
      image=%container.image.repository namespace=%k8s.ns.name
      fd.rip.name=%fd.rip.name fd.lip.name=%fd.lip.name fd.cip.name=%fd.cip.name fd.sip.name=%fd.sip.name)
   priority: WARNING
-  tags: [maturity_incubating, container, network, mitre_discovery, T1046]
+  tags: [maturity_incubating, container, network, mitre_discovery, T1046, PCI_DSS_6.4.2]
 
 - list: allowed_image
   items: [] # add image to monitor, i.e.: bitnami/nginx
@@ -3101,7 +3101,7 @@
     (command=%proc.cmdline pid=%proc.pid connection=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id
     image=%container.image.repository)
   priority: WARNING
-  tags: [maturity_sandbox, container, network, mitre_discovery, TA0011]
+  tags: [maturity_sandbox, container, network, mitre_discovery, TA0011, NIST_800-53_CM-7]
 
 - macro: user_known_stand_streams_redirect_activities
   condition: (never_true)
@@ -3525,7 +3525,7 @@
     proc.cwd=%proc.cwd terminal=%proc.tty container.start_ts=%container.start_ts proc.sid=%proc.sid proc.vpgid=%proc.vpgid 
     proc.vpid=%proc.vpid evt.res=%evt.res)
   priority: CRITICAL
-  tags: [maturity_stable, container, process, mitre_persistence, TA0003]
+  tags: [maturity_stable, container, process, mitre_persistence, TA0003, PCI_DSS_11.5.1]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to