Task: Make the log formatting and keywords suitable for ease usages of commercial rulesets

[hongsam14]

The log format and keywords are not suitable for use in commercial rules.

this is a example of Here are some of the common rules:

detection:
    selection:
        Image|endswith: '/base64'
        CommandLine|contains: '-d'
    condition: selection

Here is a part of polvo's log:

{
  "eventname": "processCreate",
  "source": "eBPF",
  "timestamp": "2025-04-09T21:01:10.023340392+09:00",
  "log": "A process has been created",
  "metadata": {
    "Argc": 4,
    "Args": [
      "/usr/libexec/gvfsd-wsdd",
      "--spawner",
      ":1.25",
      "/org/gtk/gvfs/exec_spaw/110",
      "",
      "",
      "",
      "",
      "",
      ""
    ],
    "Command": "gvfsd",
    ...
    "Filename": "/usr/libexec/gvfsd-wsdd",
    "PID": 26423,
    "PPID": 3725,
    "TGID": 26423,
    "UID": 1000,
    "Username": "shhong"
  }
}

Comparing polvo's log with the common rules, we can see the following facts:

1. Argc & Args are useless. We need to Combine into CommandLine.
2. log is useless. The description of log will be generated when processing Log Traces with common rules.
3. Command keyword need to be redefined. Within Polvo's log, Command has a different meaning than CommandLine.
4. It is appropriate to change the keyword to Image, which universally refers to the path of the executable file rather than Filename.

[KnightChaser]

Note: I slightly edited the original issue digest to enable the syntax highlighting of code blocks. No changes at real contents.