[Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165)

rules/linux/impact_potential_linux_ransomware_note_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/03/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/18"
+updated_date = "2024/10/17"
 
 [rule]
 author = ["Elastic"]
@@ -67,9 +67,8 @@ sequence by process.entity_id, host.id with maxspan=1s
      "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init"
     )
   ] with runs=25
-  [file where host.os.type == "linux" and event.action == "creation" and file.name : (
-     "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*"
-    )
+  [file where host.os.type == "linux" and event.action == "creation" and
+   file.name : ("*restore*", "*lock*", "*recovery*", "*read*", "*instruction*", "*how_to*", "*ransom*")
   ]
 '''