[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)

* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml

(cherry picked from commit e9f5585a9f)

rules/linux/execution_ssh_binary.toml

@@ -1,21 +1,22 @@
 [metadata]
 creation_date = "2022/03/10"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/29"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The
-ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a
-network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It
-indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
+Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The
+SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a
+computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system
+administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
+access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Linux Restricted Shell Breakout via the ssh command"
+name = "Linux Restricted Shell Breakout via the SSH command"
 references = ["https://gtfobins.github.io/gtfobins/ssh/"]
 risk_score = 47
 rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294"